Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add kms resources #36

Merged
merged 8 commits into from
Jul 5, 2018
Merged
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,14 @@ The following resources are available in the InSpec GCP Profile
- [google_container_clusters](docs/resources/google_container_clusters.md)
- [google_container_node_pool](docs/resources/google_container_node_pool.md)
- [google_container_node_pools](docs/resources/google_container_node_pools.md)
- [google_kms_crypto_key](docs/resources/google_kms_crypto_key.md)
- [google_kms_crypto_key_iam_binding](docs/resources/google_kms_crypto_key_iam_binding.md)
- [google_kms_crypto_key_iam_bindings](docs/resources/google_kms_crypto_key_iam_bindings.md)
- [google_kms_crypto_keys](docs/resources/google_kms_crypto_keys.md)
- [google_kms_key_ring](docs/resources/google_kms_key_ring.md)
- [google_kms_key_ring_iam_binding](docs/resources/google_kms_key_ring_iam_binding.md)
- [google_kms_key_ring_iam_bindings](docs/resources/google_kms_key_ring_iam_bindings.md)
- [google_kms_key_rings](docs/resources/google_kms_key_rings.md)
- [google_project](docs/resources/google_project.md)
- [google_project_iam_binding](docs/resources/google_project_iam_binding.md)
- [google_project_iam_bindings](docs/resources/google_project_iam_bindings.md)
Expand Down
62 changes: 62 additions & 0 deletions docs/resources/google_kms_crypto_key.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
title: About the google_kms_crypto_key Resource
platform: gcp
---

# google\_kms\_crypto\_key

Use the `google_kms_crypto_key` InSpec audit resource to test properties of a single GCP KMS crypto key. See [this page](https://cloud.google.com/kms/docs/object-hierarchy?hl=en_US&_ga=2.223343707.-1730338523.1522320263#cryptokeyversion) for useful background.

<br>

## Syntax

A `google_kms_crypto_key` resource block declares the tests for a single GCP KMS crypto key by project, location, key ring name and key name.

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP KMS crypto key was created recently

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('create_time_date') { should be > Time.now - 365*60*60*24*10 }
end

### Test when the next rotation time for a GCP KMS crypto key is scheduled

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('next_rotation_time_date') { should be > Time.now - 100000 }
end

### Check that the crypto key purpose is as expected

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('purpose') { should eq "ENCRYPT_DECRYPT" }
end

### Check that the crypto key primary is in "ENABLED" state

describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: 'crypto-key') do
its('primary_state') { should eq "ENABLED" }
end


<br>

## Properties

* `create_time`, `create_time_date`, `name`, `crypto_key_name`, `crypto_key_url`, `next_rotation_time`, `next_rotation_time_date`, `primary_create_time`, `primary_create_time_date`, `primary_name`, `primary_state`, `purpose`, `rotation_period`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
49 changes: 49 additions & 0 deletions docs/resources/google_kms_crypto_key_iam_binding.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_kms_crypto_key_iam_binding Resource
platform: gcp
---

# google\_kms\_crypto\_key\_iam\_binding

Use the `google_kms_crypto_key_iam_binding` InSpec audit resource to test properties of a single GCP KMS Crypto Key IAM Binding.

<br>

## Syntax

A `google_kms_crypto_key_iam_binding` resource block declares the tests for a single KMS Crypto Key IAM Binding for specified role.

describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP KMS Crypto Key IAM Binding exists for the specified role

describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do
it { should exist }
end

### Test that a GCP KMS Crypto Key IAM Binding has the desired user included for the specified role

describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do
its('members') {should include 'user:[email protected]' }
end

<br>

## Properties

* `members`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
68 changes: 68 additions & 0 deletions docs/resources/google_kms_crypto_key_iam_bindings.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
title: About the google_kms_crypto_key_iam_bindings Resource
platform: gcp
---

# google\_kms\_crypto\_key\_iam\_bindings

Use the `google_kms_crypto_key_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP KMS Crypto Key IAM Bindings.

<br>

## Syntax

A `google_kms_crypto_key_iam_bindings` resource block collects GCP KMS Crypto Key IAM Bindings then tests that group.

describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do
it { should exist }
end

Use this InSpec resource to enumerate roles then test in-depth using `google_kms_key_ring_iam_binding`.

google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name').iam_binding_roles.each do |iam_binding_role|
describe google_kms_crypto_key_iam_binding(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name', role: "roles/owner") do
it { should exist }
its('members') {should include 'user:[email protected]' }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of IAM bindings roles available for the crypto key

describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do
its('count') { should be <= 100}
end

### Test that an expected IAM binding is available for the crypto key

describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name') do
its('iam_binding_roles') { should include "roles/storage.admin" }
end

### Test that a particular role does not exist using filtering of the plural resource

describe google_kms_crypto_key_iam_bindings(crypto_key_url: 'projects/project/locations/europe-west2/keyRings/key-ring/cryptoKeys/key-name').where(iam_binding_role: "roles/iam.securityReviewer") do
it { should_not exist }
end

<br>

## Filter Criteria

This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method.

## Properties

* `iam_binding_roles` - an array of google_kms_crypto_key_iam_binding role strings e.g. `["roles/compute.admin", "roles/owner"]`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.s
65 changes: 65 additions & 0 deletions docs/resources/google_kms_crypto_keys.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
---
title: About the google_kms_crypto_keys Resource
platform: gcp
---

# google\_kms\_crypto\_keys

Use the `google_kms_crypto_keys` InSpec audit resource to test properties of all, or a filtered group of, GCP KMS crypto keys for supplied project, location and key ring name.

<br>

## Syntax

A `google_kms_crypto_keys` resource block collects GCP KMS crypto keys then tests that group.

describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do
it { should exist }
end

Use this InSpec resource to enumerate IDs then test in-depth using `google_kms_crypto_key`.

describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring').crypto_key_names.each do |key_name|
describe google_kms_crypto_key(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring', name: key_name) do
it { should exist }
its('create_time_date') { should be > Time.now - 365*60*60*24*10 }
its('purpose') { should eq "ENCRYPT_DECRYPT" }
its('primary_state') { should eq "ENABLED" }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of keys in the key ring

describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do
its('count') { should be <= 100}
end

### Test that an expected key name is present in the key ring

describe google_kms_crypto_keys(project: 'chef-inspec-gcp', location: 'us-east1', key_ring_name: 'key-ring') do
its('crypto_key_names') { should include "my-crypto-key-name" }
end

<br>

## Filter Criteria

This resource supports the following filter criteria: `key_name`. This may be used with `where`, as a block or as a method.

## Properties

* `crypto_key_names` - an array of google_kms_crypto_key name strings e.g. `['key-name']`
* `crypto_key_urls` - an array of google_kms_crypto_key url strings e.g. `['projects/PROJECT/locations/LOCATION/keyRings/key-ring-name/cryptoKeys/key-name']`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
51 changes: 51 additions & 0 deletions docs/resources/google_kms_key_ring.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
---
title: About the google_kms_key_ring Resource
platform: gcp
---

# google\_kms\_key\_ring

Use the `google_kms_key_ring` InSpec audit resource to test properties of a single GCP kms key ring.

<br>

## Syntax

A `google_kms_key_ring` resource block declares the tests for a single GCP key ring by project and name.

describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP kms key ring exists

describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do
it { should exist }
end

### Test that a GCP kms key ring is in the expected state

For any existing key ring, below should definitely be true!

describe google_kms_key_ring(project: 'chef-inspec-gcp', location: 'us-east1', name: 'key-ring-name') do
its('create_time_date') { should be > Time.now - 365*60*60*24*50 }
end

<br>

## Properties

* `create_time`, `create_time_date`, `name`, `key_ring_name`, `key_ring_url`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
50 changes: 50 additions & 0 deletions docs/resources/google_kms_key_ring_iam_binding.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: About the google_kms_key_ring_iam_binding Resource
platform: gcp
---

# google\_kms\_key\_ring\_iam\_binding

Use the `google_kms_key_ring_iam_binding` InSpec audit resource to test properties of a single GCP KMS key ring IAM binding.

<br>

## Syntax

A `google_kms_key_ring_iam_binding` resource block declares the tests for a single GCP KMS key ring IAM binding by role.

describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: 'roles/compute.admin') do
it { should exist }
its('members') {should include 'user:[email protected]' }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP project KMS key ring IAM binding exists

describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: 'roles/compute.admin') do
it { should exist }
end

### Test that a GCP project KMS key ring IAM binding has the desired user included

describe google_kms_key_ring_iam_binding(key_ring_url: 'projects/project/locations/europe-west2/keyRings/key-ring', role: 'roles/compute.admin') do
its('members') {should include 'user:[email protected]' }
end

<br>

## Properties

* `members`

<br>


## GCP Permissions

Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the project where the resource is located.
Loading