Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add storage bucket IAM resources #41

Merged
merged 5 commits into from
Aug 17, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,20 @@ Since this is an InSpec resource pack, it only defines InSpec resources. It incl

```bash
$ inspec init profile my-profile
Create new profile at /Users/skpaterson/my-profile
* Create directory libraries
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create file libraries/.gitkeep
```

Now update the default `inspec.yml` file to point to the InSpec GCP resource pack:

```yaml
name: my-profile
title: My own Oneview profile
title: My GCP InSpec Profile
version: 0.1.0
inspec_version: '>= 2.2.10'
depends:
Expand Down Expand Up @@ -87,7 +96,14 @@ The following resources are available in the InSpec GCP Profile
- [google_projects](docs/resources/google_projects.md)
- [google_service_account](docs/resources/google_service_account.md)
- [google_storage_bucket](docs/resources/google_storage_bucket.md)
- [google_storage_bucket_acl](docs/resources/google_storage_bucket_acl.md)
- [google_storage_bucket_iam_binding](docs/resources/google_storage_bucket_iam_binding.md)
- [google_storage_bucket_iam_bindings](docs/resources/google_storage_bucket_iam_bindings.md)
- [google_storage_bucket_object](docs/resources/google_storage_bucket_object.md)
- [google_storage_buckets](docs/resources/google_storage_buckets.md)
- [google_storage_default_object_acl](docs/resources/google_storage_default_object_acl.md)
- [google_storage_object_acl](docs/resources/google_storage_object_acl.md)


## Examples

Expand Down
49 changes: 49 additions & 0 deletions docs/resources/google_storage_bucket_acl.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_storage_bucket_acl Resource
platform: gcp
---

# google\_storage\_bucket\_acl

Use the `google_storage_bucket_acl` InSpec audit resource to test properties of a single GCP storage bucket ACL. The 'entity' property below is as described in the [Google documentation here](https://cloud.google.com/storage/docs/json_api/v1/bucketAccessControls).

<br>

## Syntax

A `google_storage_bucket_acl` resource block declares the tests for a single GCP storage bucket ACL by bucket name and entity.

describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP storage bucket ACL exists

describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
it { should exist }
end

### Test that a GCP storage bucket ACL has the expected role (READER, WRITER or OWNER)

describe google_storage_bucket_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
its('role') { should eq 'OWNER' }
end

<br>

## Properties

* `bucket`, `email`, `entity`, `etag`, `id`, `kind`, `role`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
50 changes: 50 additions & 0 deletions docs/resources/google_storage_bucket_iam_binding.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: About the google_storage_bucket_iam_binding Resource
platform: gcp
---

# google\_storage\_bucket\_iam\_binding

Use the `google_storage_bucket_iam_binding` InSpec audit resource to test properties of a single GCP storage bucket IAM binding.

<br>

## Syntax

A `google_storage_bucket_iam_binding` resource block declares the tests for a single GCP storage bucket IAM binding by bucket name and role.

describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: 'roles/storage.objectViewer') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP storage bucket IAM binding exists

describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: 'roles/storage.admin') do
it { should exist }
end

### Test that a GCP storage bucket IAM binding role has the desired user or service account included

describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: 'roles/storage.admin') do
its('members') {should include 'user:[email protected]' }
its('members') {should include 'serviceAccount:[email protected]' }
end

<br>

## Properties

* `members`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
68 changes: 68 additions & 0 deletions docs/resources/google_storage_bucket_iam_bindings.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
title: About the google_storage_bucket_iam_bindings Resource
platform: gcp
---

# google\_storage\_bucket\_iam\_bindings

Use the `google_storage_bucket_iam_bindings` InSpec audit resource to test properties of all, or a filtered group of, GCP storage bucket IAM bindings.

<br>

## Syntax

A `google_storage_bucket_iam_bindings` resource block collects GCP storage bucket IAM bindings then tests that group.

describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
it { should exist }
end

Use this InSpec resource to enumerate roles then test in-depth using `google_project_iam_binding`.

google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').iam_binding_roles.each do |iam_binding_role|
describe google_storage_bucket_iam_binding(bucket: 'bucket-buvsjjcndqz', role: iam_binding_role) do
it { should exist }
its('members') {should include 'user:[email protected]' }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of IAM bindings roles available for the bucket

describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
its('count') { should be <= 100}
end

### Test that an expected role is available for the bucket

describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz') do
its('iam_binding_roles') { should include "roles/storage.admin" }
end

### Test that a particular role does not exist using filtering of the plural resource

describe google_storage_bucket_iam_bindings(bucket: 'bucket-buvsjjcndqz').where(iam_binding_role: "roles/iam.securityReviewer") do
it { should_not exist }
end

<br>

## Filter Criteria

This resource supports the following filter criteria: `iam_binding_role`. This may be used with `where`, as a block or as a method.

## Properties

* `iam_binding_roles` - an array of google_storage_bucket_iam_binding role strings e.g. `["roles/storage.admin", "roles/owner"]`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
70 changes: 70 additions & 0 deletions docs/resources/google_storage_bucket_object.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
---
title: About the google_storage_bucket_object Resource
platform: gcp
---

# google\_storage\_bucket\_object

Use the `google_storage_bucket_object` InSpec audit resource to test properties of a single GCP storage bucket object.

<br>

## Syntax

A `google_storage_bucket_object` resource block declares the tests for a single GCP storage bucket object by bucket name and object name:

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP compute zone exists

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
it { should exist }
end

### Test that a GCP storage bucket object has non-zero size

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
its('size') { should be > 0 }
end

### Test that a GCP storage bucket object has the expected content type

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
its('content_type') { should eq "text/plain; charset=utf-8" }
end


### Test that a GCP storage bucket object was created within a certain time period

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
its('time_created_date') { should be > Time.now - 365*60*60*24*10 }
end


### Test that a GCP storage bucket object was last updated within a certain time period

describe google_storage_bucket_object(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq') do
its('updated_date') { should be > Time.now - 365*60*60*24*10 }
end


<br>

## Properties

* `bucket`, `content_type`, `crc32c`, `etag`, `generation`, `id`, `kind`, `md5_hash`, `media_link`, `metageneration`, `name`, `size`, `storage_class`, `time_created_date`, `time_storage_class_updated_date`, `updated_date`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
49 changes: 49 additions & 0 deletions docs/resources/google_storage_default_object_acl.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_storage_default_object_acl Resource
platform: gcp
---

# google\_storage\_default\_object\_acl

Use the `google_storage_default_object_acl` InSpec audit resource to test properties of a single GCP storage default object ACL. See the [Google documentation for this here](https://cloud.google.com/storage/docs/access-control/lists) covering the possible values for 'entity' argument below.

<br>

## Syntax

A `google_storage_default_object_acl` resource block declares the tests for a single GCP storage default object ACL by bucket name and entity.

describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP storage bucket ACL exists

describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
it { should exist }
end

### Test that a GCP storage default object ACL has the expected role (READER, WRITER or OWNER)

describe google_storage_default_object_acl(bucket: 'bucket-buvsjjcndqz', entity: '[email protected]') do
its('role') { should eq 'OWNER' }
end

<br>

## Properties

* `email`, `entity`, `etag`, `kind`, `role`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
49 changes: 49 additions & 0 deletions docs/resources/google_storage_object_acl.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_storage_object_acl Resource
platform: gcp
---

# google\_storage\_object\_acl

Use the `google_storage_object_acl` InSpec audit resource to test properties of a single GCP storage object ACL. See the [Google documentation for this here](https://cloud.google.com/storage/docs/access-control/lists) covering the possible values for 'entity' argument below.

<br>

## Syntax

A `google_storage_object_acl` resource block declares the tests for a single GCP storage object ACL by bucket name, object name and entity.

describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP storage bucket ACL exists

describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do
it { should exist }
end

### Test that a GCP storage object ACL has the expected role (READER, WRITER or OWNER)

describe google_storage_object_acl(bucket: 'bucket-buvsjjcndqz', object: 'bucket-object-pmxbiikq', entity: '[email protected]') do
its('role') { should eq 'OWNER' }
end

<br>

## Properties

* `bucket`, `email`, `entity`, `etag`, `generation`, `id`, `kind`, `object`, `role`

<br>


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
Loading