Project audit logging

docs/resources/google_logging_project_sinks.md

@@ -0,0 +1,77 @@
+---
+title: About the google_logging_project_sinks Resource
+platform: gcp
+---
+
+# google\_logging\_project\_sinks
+
+Use the `google_logging_project_sinks` InSpec audit resource to test properties of all, or a filtered group of, GCP compute project logging sinks for a project.
+
+<br>
+
+## Syntax
+
+A `google_logging_project_sinks` resource block collects GCP project logging sinks by project then tests that group.
+
+    describe google_logging_project_sinks(project: 'chef-inspec-gcp') do
+      it { should exist }
+    end    
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_logging_project_sink`.
+
+    google_logging_project_sinks(project: 'chef-inspec-gcp').sink_names.each do |sink_name|
+      describe google_logging_project_sink(project: 'chef-inspec-gcp',  sink: sink_name) do
+        it { should exist }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of sinks available for the project
+
+    describe google_logging_project_sinks(project: 'chef-inspec-gcp') do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected sink name is available for the project
+
+    describe google_logging_project_sinks(project: 'chef-inspec-gcp') do
+      its('sink_names') { should include "my-sink" }
+    end
+
+### Test that an expected sink destination is available for the project
+
+    describe google_logging_project_sinks(project: 'chef-inspec-gcp') do
+      its('sink_destinations') { should include "storage.googleapis.com/a-logging-bucket" }
+    end
+
+### Test that a subset of all sinks matching "project*" have a particular writer identity 
+
+    google_logging_project_sinks(project: 'chef-inspec-gcp').where(sink_name: /project/).sink_names.each do |sink_name|
+      describe google_logging_project_sink(project: 'chef-inspec-gcp',  sink: sink_name) do
+        its('writer_identity') { should eq "serviceAccount:my-logging-service-account.iam.gserviceaccount.com" }
+      end
+    end
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria: `sink_name`; `sink_filter` and `sink_destination`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `sink_names` - an array of google_logging_project_sink name strings
+*  `sink_destinations`- an array of google_logging_project_sink destinations
+*  `sink_filters`- an array of google_logging_project_sink filters
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.

docs/resources/google_project_logging_audit_config.md

@@ -0,0 +1,51 @@
+---
+title: About the google_project_logging_audit_config Resource
+platform: gcp
+---
+
+# google\_project\_logging\_audit\_config
+
+Use the `google_compute_zone` InSpec audit resource to test properties of a single GCP compute zone.
+
+<br>
+
+## Syntax
+
+A `google_project_logging_audit_config` resource block declares the tests for a single GCP zone by project and name.
+
+    describe google_project_logging_audit_config(project: 'chef-inspec-gcp') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+
+### Test that a GCP project logging audit configuration has a default type defined
+
+    describe google_project_logging_audit_config(project: 'chef-inspec-gcp') do
+      its('default_types') { should include 'ADMIN_READ' }
+    end
+
+
+### Test that a GCP project logging audit configuration has default exempted members
+
+    describe google_compute_zone(project: 'chef-inspec-gcp',  zone: 'us-east1-b') do
+      it { should_not have_default_exempted_members }
+    end
+
+<br>
+
+## Properties
+
+*  `default_types`, `default_exempted_members`
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the project.

docs/resources/google_project_metric.md

@@ -0,0 +1,49 @@
+---
+title: About the google_project_metric Resource
+platform: gcp
+---
+
+# google\_project\_metric
+
+Use the `google_project_metric` InSpec audit resource to test properties of a single GCP project metric.
+
+<br>
+
+## Syntax
+
+A `google_project_metric` resource block declares the tests for a single GCP zone by project and name.
+
+    describe google_project_metric(project: 'chef-inspec-gcp',  metric: 'metric_name') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that a GCP project metric exists
+
+    describe google_project_metric(project: 'chef-inspec-gcp',  metric: 'metric_name') do
+      it { should exist }
+    end
+
+### Test that a GCP compute zone has an expected CPU platform
+
+    describe google_project_metric(project: 'chef-inspec-gcp',  metric: 'metric_name') do
+      its('filter') { should eq "(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\")" }
+    end
+
+<br>
+
+## Properties
+
+*  `filter`, `name`, `metric_descriptor`
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.

docs/resources/google_project_metrics.md

@@ -0,0 +1,70 @@
+---
+title: About the google_project_metrics Resource
+platform: gcp
+---
+
+# google\_project\_metrics
+
+Use the `google_project_metrics` InSpec audit resource to test properties of all, or a filtered group of, GCP project metrics.
+
+<br>
+
+## Syntax
+
+A `google_project_metrics` resource block collects GCP project logging sinks by project then tests that group.
+
+    describe google_project_metrics(project: 'chef-inspec-gcp') do
+      it { should exist }
+    end    
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_project_metric`.
+
+    google_project_metrics(project: 'chef-inspec-gcp').sink_names.each do |metric_name|
+      describe google_project_metric(project: 'chef-inspec-gcp',  metric: metric_name) do
+        it { should exist }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of metrics available for the project
+
+    describe google_project_metrics(project: 'chef-inspec-gcp') do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected metric name is available for the project
+
+    describe google_project_metrics(project: 'chef-inspec-gcp') do
+      its('metric_names') { should include "metric-name" }
+    end
+
+### Test that a subset of all metrics with name matching "*project*" have a particular writer identity 
+
+    google_project_metrics(project: 'chef-inspec-gcp').where(metric_name: /project/).metric_names.each do |metric_name|
+      describe google_project_metric(project: 'chef-inspec-gcp',  metric: metric_name) do
+        its('filter') { should eq "(protoPayload.serviceName=\"cloudresourcemanager.googleapis.com\")" }
+      end
+    end
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria: `metric_name` and `metric_filter`. Either of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `metric_names` - an array of google_project_metric name strings
+*  `metric_filters`- an array of google_project_metric filters
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.

libraries/google_logging_project_sinks.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleLoggingProjectSinks < GcpResourceBase
+    name 'google_logging_project_sinks'
+    desc 'Verifies settings for GCP project logging sinks in bulk'
+
+    example "
+      describe google_logging_project_sinks(project: 'chef-inspec-gcp') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @project = opts[:project]
+    end
+
+    # FilterTable setup
+    filter_table_config = FilterTable.create
+    filter_table_config.add(:sink_names, field: :sink_name)
+    filter_table_config.add(:sink_destinations, field: :sink_destination)
+    filter_table_config.connect(self, :fetch_data)
+
+    def fetch_data
+      sink_rows = []
+      next_page = nil
+      loop do
+        catch_gcp_errors do
+          @sinks = @gcp.gcp_client(Google::Apis::LoggingV2::LoggingService).list_project_sinks("projects/#{@project}", page_token: next_page)
+        end
+        return [] if !@sinks || [email protected]
+        @sinks.sinks.map do |sink|
+          logging_sink = @gcp.gcp_client(Google::Apis::LoggingV2::LoggingService).get_project_sink("projects/#{@project}/sinks/#{sink.name}")
+          sink_rows+=[{ sink_name: sink.name,
+                        sink_destination: sink.destination,
+                        sink_filter: logging_sink.filter }]
+        end
+        next_page = @sinks.next_page_token
+        break unless next_page
+      end
+      @table = sink_rows
+    end
+  end
+end

libraries/google_project_logging_audit_config.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleProjectLoggingAuditConfig < GcpResourceBase
+    name 'google_project_logging_audit_config'
+    desc 'Verifies settings for a GCP project logging audit configuration'
+
+    example "
+      describe google_project_logging_audit_config(project: 'chef-inspec-gcp') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @project = opts[:project]
+      catch_gcp_errors do
+        @audit_logging_configs = @gcp.gcp_project_client.get_project_iam_policy(@project)
+        @default_types = []
+        @default_exempted_members = {}
+        if defined?(@audit_logging_configs.audit_configs)
+          @audit_logging_configs.audit_configs.each do |service_config|
+            next if service_config.service != 'allServices'
+            service_config.audit_log_configs.each do |config|
+              @default_types+=[config.log_type]
+              @default_exempted_members[config.log_type]=config.exempted_members if defined?(config.exempted_members)
+            end
+          end
+        end
+      end
+    end
+
+    def exists?
+      return false if !defined? @audit_logging_configs.audit_configs
+      !@audit_logging_configs.audit_configs.nil?
+    end
+
+    attr_reader :default_types
+
+    attr_reader :default_exempted_members
+
+    def has_default_exempted_members?
+      @default_exempted_members.values.any?
+    end
+
+    def to_s
+      "Logging Audit Config For #{@project}"
+    end
+  end
+end

libraries/google_project_metric.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleProjectMetric < GcpResourceBase
+    name 'google_project_metric'
+    desc 'Verifies settings for a project metric'
+
+    example "
+      describe google_project_metric(project: 'chef-inspec-gcp',  metric: 'metric_name') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @display_name = opts[:metric]
+      catch_gcp_errors do
+        @metric = @gcp.gcp_client(Google::Apis::LoggingV2::LoggingService).get_project_metric("projects/#{opts[:project]}/metrics/#{opts[:metric]}")
+        create_resource_methods(@metric)
+      end
+    end
+
+    def exists?
+      [email protected]?
+    end
+
+    def to_s
+      "Project Metric #{@display_name}"
+    end
+  end
+end