diff --git a/README.md b/README.md
index b7ad073b4..45856647c 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,10 @@ The following resources are available in the InSpec GCP Profile
- [google_compute_instance_group](docs/resources/google_compute_instance_group.md)
- [google_compute_instance_groups](docs/resources/google_compute_instance_groups.md)
- [google_compute_instances](docs/resources/google_compute_instances.md)
+- [google_compute_network](docs/resources/google_compute_network.md)
+- [google_compute_networks](docs/resources/google_compute_networks.md)
+- [google_compute_subnetwork](docs/resources/google_compute_subnetwork.md)
+- [google_compute_subnetworks](docs/resources/google_compute_subnetworks.md)
- [google_compute_zone](docs/resources/google_compute_zone.md)
- [google_compute_zones](docs/resources/google_compute_zones.md)
- [google_container_cluster](docs/resources/google_container_cluster.md)
diff --git a/docs/resources/google_compute_network.md b/docs/resources/google_compute_network.md
new file mode 100644
index 000000000..bfd954c13
--- /dev/null
+++ b/docs/resources/google_compute_network.md
@@ -0,0 +1,77 @@
+---
+title: About the google_compute_network Resource
+platform: gcp
+---
+
+# google\_compute\_network
+
+Use the `google_compute_network` InSpec audit resource to test properties of a single GCP compute network.
+
+
+
+## Syntax
+
+A `google_compute_network` resource block declares the tests for a single GCP zone by project and name.
+
+ describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do
+ it { should exist }
+ its('name') { should eq 'gcp-inspec-network' }
+ end
+
+
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that a GCP compute network exists
+
+ describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do
+ it { should exist }
+ end
+
+### Test when a GCP compute network was created
+
+ describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do
+ its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+ end
+
+### Test for an expected network identifier
+
+ describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do
+ its('id') { should eq 12345567789 }
+ end
+
+
+### Test whether a single attached subnetwork name is correct
+
+ describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do
+ its ('subnetworks.count') { should eq 1 }
+ its ('subnetworks.first') { should match "subnetwork-name"}
+ end
+
+### Test whether the network is configured to automatically create subnetworks or not
+
+ describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do
+ its ('auto_create_subnetworks'){ should be false }
+ end
+
+
+### Check the network routing configuration routing mode
+
+ describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do
+ its ('routing_config.routing_mode') { should eq "REGIONAL" }
+ end
+
+
+
+## Properties
+
+* `auto_create_subnetworks`, `creation_timestamp`, `creation_timestamp_date`, `id`, `kind`, `name`, `routing_config`, `subnetworks`
+
+
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
\ No newline at end of file
diff --git a/docs/resources/google_compute_networks.md b/docs/resources/google_compute_networks.md
new file mode 100644
index 000000000..b25715450
--- /dev/null
+++ b/docs/resources/google_compute_networks.md
@@ -0,0 +1,72 @@
+---
+title: About the google_compute_networks Resource
+platform: gcp
+---
+
+# google\_compute\_networks
+
+Use the `google_compute_networks` InSpec audit resource to test properties of all, or a filtered group of, GCP compute networks for a project.
+
+
+
+## Syntax
+
+A `google_compute_networks` resource block collects GCP networks by project then tests that group.
+
+ describe google_compute_networks(project: 'chef-inspec-gcp') do
+ it { should exist }
+ end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_network`.
+
+ google_compute_networks(project: 'chef-inspec-gcp').network_names.each do |network_name|
+ describe google_compute_network(project: 'chef-inspec-gcp', name: network_name) do
+ its ('subnetworks.count') { should be < 10 }
+ its ('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+ its ('routing_config.routing_mode') { should eq "REGIONAL" }
+ its ('auto_create_subnetworks'){ should be false }
+ end
+ end
+
+
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of networks available for the project
+
+ describe google_compute_networks(project: 'chef-inspec-gcp') do
+ its('count') { should be <= 100}
+ end
+
+### Test that an expected network identifier is present in the project
+
+ describe google_compute_networks(project: 'chef-inspec-gcp') do
+ its('network_ids') { should include 12345678975432 }
+ end
+
+### Test that an expected network name is available for the project
+
+ describe google_compute_networks(project: 'chef-inspec-gcp') do
+ its('network_names') { should include "network-name" }
+ end
+
+
+
+
+## Filter Criteria
+
+This resource supports the following filter criteria: `network_id` and `network_name`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+* `network_ids` - an array of google_compute_network identifier integers
+* `network_names` - an array of google_compute_network name strings
+
+
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
\ No newline at end of file
diff --git a/docs/resources/google_compute_subnetwork.md b/docs/resources/google_compute_subnetwork.md
new file mode 100644
index 000000000..1ed8b46b7
--- /dev/null
+++ b/docs/resources/google_compute_subnetwork.md
@@ -0,0 +1,81 @@
+---
+title: About the google_compute_subnetwork Resource
+platform: gcp
+---
+
+# google\_compute\_subnetwork
+
+Use the `google_compute_subnetwork` InSpec audit resource to test properties of a single GCP compute subnetwork.
+
+
+
+## Syntax
+
+A `google_compute_subnetwork` resource block declares the tests for a single GCP subnetwork by project, region and name.
+
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+ it { should exist }
+ its('name') { should eq 'gcp-inspec-subnetwork' }
+ its('region') { should match 'europe-west2' }
+ end
+
+
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that a GCP compute subnetwork exists
+
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+ it { should exist }
+ end
+
+### Test when a GCP compute subnetwork was created
+
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+ its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+ end
+
+### Test for an expected subnetwork identifier
+
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+ its('id') { should eq 12345567789 }
+ end
+
+### Test that a subnetwork gateway address is as expected
+
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+ its('gateway_address') { should eq "10.2.0.1" }
+ end
+
+### Test that a subnetwork IP CIDR range is as expected
+
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+ its('ip_cidr_range') { should eq "10.2.0.0/29" }
+ end
+
+### Test that a subnetwork is associated with the expected network
+
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+ its('network') { should match "gcp_network_name" }
+ end
+
+### Test whether VMs in this subnet can access Google services without assigning external IP addresses through Private Google Access
+
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+ its('private_ip_google_access') { should be false }
+ end
+
+
+
+## Properties
+
+* `creation_timestamp`, `creation_timestamp_date`, `gateway_address`, `id`, `ip_cidr_range`, `kind`, `name`, `network`, `private_ip_google_access`, `region`
+
+
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
\ No newline at end of file
diff --git a/docs/resources/google_compute_subnetworks.md b/docs/resources/google_compute_subnetworks.md
new file mode 100644
index 000000000..02a799664
--- /dev/null
+++ b/docs/resources/google_compute_subnetworks.md
@@ -0,0 +1,80 @@
+---
+title: About the google_compute_subnetworks Resource
+platform: gcp
+---
+
+# google\_compute\_subnetworks
+
+Use the `google_compute_subnetworks` InSpec audit resource to test properties of all, or a filtered group of, GCP compute subnetworks for a project and region.
+
+
+
+## Syntax
+
+A `google_compute_subnetworks` resource block collects GCP subnetworks by project and region, then tests that group.
+
+ describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+ it { should exist }
+ end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_subnetwork`.
+
+ google_compute_subnetworks(project: 'chef-inspec-gcp', region:'europe-west2').subnetwork_names.each do |subnetwork_name|
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: name: subnetwork_name) do
+ its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+ its('ip_cidr_range') { should eq "10.2.0.0/29" }
+ its('network') { should match "gcp_network_name" }
+ its('private_ip_google_access') { should be false }
+ end
+ end
+
+
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of subnetworks available for the project and region
+
+ describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+ its('count') { should be <= 100}
+ end
+
+### Test that an expected subnetwork identifier is present in the project and region
+
+ describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+ its('subnetwork_ids') { should include 12345678975432 }
+ end
+
+
+### Test that an expected subnetwork name is available for the project and region
+
+ describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+ its('subnetwork_names') { should include "subnetwork-name" }
+ end
+
+### Test that an expected subnetwork network name is not present for the project and region
+
+ describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+ its('subnetwork_networks') { should not include "network-name" }
+ end
+
+
+
+
+## Filter Criteria
+
+This resource supports the following filter criteria: `subnetwork_id`; `subnetwork_name` and `subnetwork_network`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+* `subnetwork_ids` - an array of google_compute_subnetwork identifier integers
+* `subnetwork_names` - an array of google_compute_subnetwork name strings
+* `subnetwork_networks` - an array of google_compute_network name strings
+
+
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
\ No newline at end of file
diff --git a/libraries/google_compute_network.rb b/libraries/google_compute_network.rb
new file mode 100644
index 000000000..7c67051cc
--- /dev/null
+++ b/libraries/google_compute_network.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+ class GoogleComputeNetwork < GcpResourceBase
+ name 'google_compute_network'
+ desc 'Verifies settings for a compute network'
+
+ example "
+ describe google_compute_network(project: 'chef-inspec-gcp', name: 'gcp-inspec-network') do
+ it { should exist }
+ end
+ "
+
+ def initialize(opts = {})
+ # Call the parent class constructor
+ super(opts)
+ @display_name = opts[:name]
+ catch_gcp_errors do
+ @network = @gcp.gcp_compute_client.get_network(opts[:project], opts[:name])
+ create_resource_methods(@network)
+ end
+ end
+
+ def exists?
+ !@network.nil?
+ end
+
+ def creation_timestamp_date
+ return false if !defined?(creation_timestamp)
+ Time.parse(creation_timestamp.to_s)
+ end
+
+ def to_s
+ "Network #{@display_name}"
+ end
+ end
+end
diff --git a/libraries/google_compute_networks.rb b/libraries/google_compute_networks.rb
new file mode 100644
index 000000000..3b074f42f
--- /dev/null
+++ b/libraries/google_compute_networks.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+ class GoogleComputeNetworks < GcpResourceBase
+ name 'google_compute_networks'
+ desc 'Verifies settings for GCP compute networks in bulk'
+
+ example "
+ describe google_compute_networks(project: 'chef-inspec-gcp') do
+ it { should exist }
+ end
+ "
+
+ def initialize(opts = {})
+ # Call the parent class constructor
+ super(opts)
+ @project = opts[:project]
+ end
+
+ # FilterTable setup
+ filter_table_config = FilterTable.create
+ filter_table_config.add(:network_ids, field: :network_id)
+ filter_table_config.add(:network_names, field: :network_name)
+ filter_table_config.connect(self, :fetch_data)
+
+ def fetch_data
+ network_rows = []
+ next_page = nil
+ loop do
+ catch_gcp_errors do
+ @networks = @gcp.gcp_compute_client.list_networks(@project, page_token: next_page)
+ end
+ return [] if !@networks || !@networks.items
+ @networks.items.map do |network|
+ network_rows+=[{ network_id: network.id,
+ network_name: network.name }]
+ end
+ next_page = @networks.next_page_token
+ break unless next_page
+ end
+ @table = network_rows
+ end
+ end
+end
diff --git a/libraries/google_compute_subnetwork.rb b/libraries/google_compute_subnetwork.rb
new file mode 100644
index 000000000..469c01561
--- /dev/null
+++ b/libraries/google_compute_subnetwork.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+ class GoogleComputeSubnetwork < GcpResourceBase
+ name 'google_compute_subnetwork'
+ desc 'Verifies settings for a compute subnetwork'
+
+ example "
+ describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+ it { should exist }
+ end
+ "
+
+ def initialize(opts = {})
+ # Call the parent class constructor
+ super(opts)
+ @display_name = opts[:name]
+ catch_gcp_errors do
+ @subnetwork = @gcp.gcp_compute_client.get_subnetwork(opts[:project], opts[:region], opts[:name])
+ create_resource_methods(@subnetwork)
+ end
+ end
+
+ def creation_timestamp_date
+ return false if !defined?(creation_timestamp)
+ Time.parse(creation_timestamp.to_s)
+ end
+
+ def exists?
+ !@subnetwork.nil?
+ end
+
+ def to_s
+ "Subnetwork #{@display_name}"
+ end
+ end
+end
diff --git a/libraries/google_compute_subnetworks.rb b/libraries/google_compute_subnetworks.rb
new file mode 100644
index 000000000..f587af8e9
--- /dev/null
+++ b/libraries/google_compute_subnetworks.rb
@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+ class GoogleComputeSubnetworks < GcpResourceBase
+ name 'google_compute_subnetworks'
+ desc 'Verifies settings for GCP compute subnetworks in bulk'
+
+ example "
+ describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+ it { should exist }
+ end
+ "
+
+ def initialize(opts = {})
+ # Call the parent class constructor
+ super(opts)
+ @project = opts[:project]
+ @region = opts[:region]
+ end
+
+ # FilterTable setup
+ filter_table_config = FilterTable.create
+ filter_table_config.add(:subnetwork_ids, field: :subnetwork_id)
+ filter_table_config.add(:subnetwork_names, field: :subnetwork_name)
+ filter_table_config.add(:subnetwork_networks, field: :subnetwork_network)
+ filter_table_config.connect(self, :fetch_data)
+
+ def fetch_data
+ subnetwork_rows = []
+ next_page = nil
+ loop do
+ catch_gcp_errors do
+ @subnetworks = @gcp.gcp_compute_client.list_subnetworks(@project, @region, page_token: next_page)
+ end
+ return [] if !@subnetworks || !@subnetworks.items
+ @subnetworks.items.map do |subnetwork|
+ subnetwork_rows+=[{ subnetwork_id: subnetwork.id,
+ subnetwork_name: subnetwork.name,
+ subnetwork_network: subnetwork.network.split('/').last }]
+ end
+ next_page = @subnetworks.next_page_token
+ break unless next_page
+ end
+ @table = subnetwork_rows
+ end
+ end
+end
diff --git a/libraries/google_compute_zones.rb b/libraries/google_compute_zones.rb
index 6ed669040..611a8e3b6 100644
--- a/libraries/google_compute_zones.rb
+++ b/libraries/google_compute_zones.rb
@@ -10,14 +10,12 @@ class GoogleComputeZones < GcpResourceBase
example "
describe google_compute_zones(project: 'chef-inspec-gcp') do
it { should exist }
- ...
end
"
def initialize(opts = {})
# Call the parent class constructor
super(opts)
- @display_name = opts[:name]
@project = opts[:project]
end
diff --git a/test/integration/build/gcp.tf b/test/integration/build/gcp.tf
index 27a739544..93513cabc 100644
--- a/test/integration/build/gcp.tf
+++ b/test/integration/build/gcp.tf
@@ -78,6 +78,9 @@ variable "gcp_logging_bucket_name" {}
variable "gcp_logging_project_sink_name" {}
variable "gcp_logging_project_exclusion_name" {}
+variable "gcp_network_name" {}
+variable "gcp_subnetwork_name" {}
+
variable "gcp_enable_privileged_resources" {}
provider "google" {
@@ -730,4 +733,22 @@ resource "google_logging_project_exclusion" "project-logging-exclusion" {
}
-# End logging resources
\ No newline at end of file
+# End logging resources
+
+# Start network resources
+
+resource "google_compute_network" "inspec-gcp-network" {
+ project = "${var.gcp_project_id}"
+ name = "${var.gcp_network_name}"
+ auto_create_subnetworks = "false"
+}
+
+resource "google_compute_subnetwork" "inspec-gcp-subnetwork" {
+ project = "${var.gcp_project_id}"
+ ip_cidr_range = "10.2.0.0/29" # i.e. 8 total & 6 usable IPs
+ name = "${var.gcp_subnetwork_name}"
+ region = "${var.gcp_location}"
+ network = "${google_compute_network.inspec-gcp-network.self_link}"
+}
+
+# End network resources
\ No newline at end of file
diff --git a/test/integration/configuration/gcp_inspec_config.rb b/test/integration/configuration/gcp_inspec_config.rb
index 94700ba97..b25d5afc2 100644
--- a/test/integration/configuration/gcp_inspec_config.rb
+++ b/test/integration/configuration/gcp_inspec_config.rb
@@ -80,6 +80,8 @@ def self.add_random_string(length=25)
:gcp_logging_bucket_name => "gcp-inspec-logging-#{add_random_string}",
:gcp_logging_project_sink_name => "gcp-inspec-logging-project-#{add_random_string}",
:gcp_logging_project_exclusion_name => "gcp-inspec-project-exclusion-#{add_random_string}",
+ :gcp_network_name => "gcp-inspec-network",
+ :gcp_subnetwork_name => "gcp-inspec-subnetwork",
# Some resources require elevated privileges to create and therefore test against. The below flag is used to control
# both the terraform resource creation and the inspec test execution for those resources. Default behaviour is for this to
# be disabled meaning a user needs no special GCP privileges to run the integration test pack.
diff --git a/test/integration/verify/controls/google_compute_network.rb b/test/integration/verify/controls/google_compute_network.rb
new file mode 100644
index 000000000..0e7a1ce6b
--- /dev/null
+++ b/test/integration/verify/controls/google_compute_network.rb
@@ -0,0 +1,23 @@
+title 'Test single GCP compute network'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_network_name = attribute(:gcp_network_name, default: '', description: 'The GCP network name.')
+gcp_subnetwork_name = attribute(:gcp_subnetwork_name, default: '', description: 'The GCP subnetwork name.')
+
+control 'gcp-compute-network-1.0' do
+
+ impact 1.0
+ title 'Ensure GCP compute network has the correct properties.'
+
+ describe google_compute_network(project: gcp_project_id, name: gcp_network_name) do
+ it { should exist }
+ # the below id example is valid but not tested each time by default
+ #its('id') { should eq 5815877451834825315 }
+ its('name') { should eq gcp_network_name }
+ its ('subnetworks.count') { should eq 1 }
+ its ('subnetworks.first') { should match gcp_subnetwork_name }
+ its ('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+ its ('routing_config.routing_mode') { should eq "REGIONAL" }
+ its ('auto_create_subnetworks'){ should be false }
+ end
+end
\ No newline at end of file
diff --git a/test/integration/verify/controls/google_compute_networks.rb b/test/integration/verify/controls/google_compute_networks.rb
new file mode 100644
index 000000000..bae5714d6
--- /dev/null
+++ b/test/integration/verify/controls/google_compute_networks.rb
@@ -0,0 +1,17 @@
+title 'Networks Properties'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_network_name = attribute(:gcp_network_name, default: '', description: 'The GCP network name.')
+
+control 'gcp-networks-1.0' do
+
+ impact 1.0
+ title 'Ensure networks have the correct properties in bulk'
+
+ describe google_compute_networks(project: gcp_project_id) do
+ it { should exist }
+ its('count') { should be <= 100}
+ its('network_names') { should include gcp_network_name }
+ end
+
+end
\ No newline at end of file
diff --git a/test/integration/verify/controls/google_compute_subnetwork.rb b/test/integration/verify/controls/google_compute_subnetwork.rb
new file mode 100644
index 000000000..8f16d023b
--- /dev/null
+++ b/test/integration/verify/controls/google_compute_subnetwork.rb
@@ -0,0 +1,25 @@
+title 'Test single GCP compute subnetwork'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_region = attribute(:gcp_location, default: '', description: 'The GCP region being used.')
+gcp_network_name = attribute(:gcp_network_name, default: '', description: 'The GCP network name.')
+gcp_subnetwork_name = attribute(:gcp_subnetwork_name, default: '', description: 'The GCP subnetwork name.')
+
+control 'gcp-compute-subnetwork-1.0' do
+
+ impact 1.0
+ title 'Ensure GCP compute subnetwork has the correct properties.'
+
+ describe google_compute_subnetwork(project: gcp_project_id, region: gcp_region, name: gcp_subnetwork_name) do
+ it { should exist }
+ # leaving the below two lines as examples of valid tests
+ #its('id') { should eq 3916412205080353392 }
+ #its('gateway_address') { should eq "10.2.0.1" }
+ its('name') { should eq gcp_subnetwork_name }
+ its('region') { should match gcp_region }
+ its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+ its('ip_cidr_range') { should eq "10.2.0.0/29" }
+ its('network') { should match gcp_network_name }
+ its('private_ip_google_access') { should be false }
+ end
+end
\ No newline at end of file
diff --git a/test/integration/verify/controls/google_compute_subnetworks.rb b/test/integration/verify/controls/google_compute_subnetworks.rb
new file mode 100644
index 000000000..1d0d2fdcc
--- /dev/null
+++ b/test/integration/verify/controls/google_compute_subnetworks.rb
@@ -0,0 +1,20 @@
+title 'Subnetworks Properties'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_network_name = attribute(:gcp_network_name, default: '', description: 'The GCP network name.')
+gcp_region = attribute(:gcp_location, default: '', description: 'The GCP region being used.')
+gcp_subnetwork_name = attribute(:gcp_subnetwork_name, default: '', description: 'The GCP subnetwork name.')
+
+control 'gcp-subnetworks-1.0' do
+
+ impact 1.0
+ title 'Ensure subnetworks have the correct properties in bulk'
+
+ describe google_compute_subnetworks(project: gcp_project_id, region: gcp_region) do
+ it { should exist }
+ its('count') { should be <= 100}
+ its('subnetwork_names') { should include gcp_subnetwork_name }
+ its('subnetwork_networks') { should include gcp_network_name }
+ end
+
+end
\ No newline at end of file