Cloud SQL resources

docs/resources/google_compute_zones.md

@@ -59,7 +59,7 @@ The following examples show how to use this InSpec audit resource.
 
 ### Test that a subset of all zones matching "us*" are "UP"
 
-    describe google_compute_zones(project: gcp_project_id).where(zone_name: /^us/).zone_names.each do |zone_name|
+    google_compute_zones(project: 'chef-inspec-gcp').where(zone_name: /^us/).zone_names.each do |zone_name|
       describe google_compute_zone(project: 'chef-inspec-gcp',  zone: zone_name) do
         it { should exist }
         its('kind') { should eq "compute#zone" }

docs/resources/google_sql_database_instance.md

@@ -0,0 +1,69 @@
+---
+title: About the google_sql_database_instance Resource
+platform: gcp
+---
+
+# google\_sql\_database\_instance
+
+Use the `google_sql_database_instance` InSpec audit resource to test properties of a single GCP Cloud SQL Database instance.
+
+<br>
+
+## Syntax
+
+A `google_sql_database_instance` resource block declares the tests for a single CP Cloud SQL Database instance by project and name.
+
+    describe google_sql_database_instance(project: 'chef-inspec-gcp',  database: 'my-database') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+
+### Test that a GCP Cloud SQL Database instance is in the expected state
+
+    describe google_sql_database_instance(project: 'chef-inspec-gcp',  database: 'my-database') do
+      its('state') { should eq 'RUNNABLE' }
+    end
+
+### Test that a GCP Cloud SQL Database instance generation type
+
+    describe google_sql_database_instance(project: 'chef-inspec-gcp',  database: 'my-database') do
+      its('backend_type') { should eq "SECOND_GEN" }
+    end
+
+### Test that a GCP Cloud SQL Database instance connection name is as expected
+
+    describe google_sql_database_instance(project: 'spaterson-project',  database: 'gcp-inspec-db-instance') do
+      its('connection_name') { should eq "spaterson-project:europe-west2:gcp-inspec-db-instance" }
+    end
+
+### Confirm that a GCP Cloud SQL Database instance has the correct version 
+
+    describe google_sql_database_instance(project: 'spaterson-project',  database: 'gcp-inspec-db-instance') do
+      its('database_version') { should eq "MYSQL_5_7" }
+    end
+
+### Confirm that a GCP Cloud SQL Database instance is running in the desired region and zone 
+
+    describe google_sql_database_instance(project: 'spaterson-project',  database: 'gcp-inspec-db-instance') do
+      its('gce_zone') { should eq "europe-west2-a" }
+      its('region') { should eq "europe-west2" }
+    end
+
+<br>
+
+## Properties
+
+*  `backend_type`, `connection_name`, `database_version`, `etag`, `gce_zone`, `instance_type`, `ip_addresses`, `kind`, `name`, `project`, `region`, `server_ca_cert`, `service_account_email_address`, `settings`, `state`
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Cloud SQL API](https://console.cloud.google.com/projectselector/apis/api/sqladmin.googleapis.com/overview) is enabled for the project.

docs/resources/google_sql_database_instances.md

@@ -0,0 +1,89 @@
+---
+title: About the google_sql_database_instances Resource
+platform: gcp
+---
+
+# google\_sql\_database\_instances
+
+Use the `google_sql_database_instances` InSpec audit resource to test properties of GCP Cloud SQL Database instances.
+
+<br>
+
+## Syntax
+
+A `google_sql_database_instances` resource block collects GCP zones by project then tests that group.
+
+    describe google_sql_database_instances(project: 'chef-inspec-gcp') do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_sql_database_instance`.
+
+    google_sql_database_instances(project: 'chef-inspec-gcp').instance_names.each do |instance_name|
+      describe google_sql_database_instance(project: 'chef-inspec-gcp',  database: instance_name) do
+        it { should exist }
+        its('backend_type') { should eq "SECOND_GEN" }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of zones available for the project
+
+    describe google_sql_database_instances(project: 'chef-inspec-gcp') do
+      its('count') { should be <= 100}
+    end
+
+
+### Test that a database instance exists in the expected zone  
+
+    describe google_sql_database_instances(project: 'chef-inspec-gcp') do
+      its('instance_zones') { should include "us-east1-b" }
+    end
+
+### Test that a database instance exists in the expected region  
+
+    describe google_sql_database_instances(project: 'chef-inspec-gcp') do
+      its('instance_regions') { should include "us-east1" }
+    end
+
+
+### Confirm that at least one database instance is in "RUNNABLE" state
+
+    describe google_sql_database_instances(project: 'chef-inspec-gcp') do
+      its('instance_states') { should include "RUNNABLE" }
+    end
+
+### Test that a subset of all database instances matching "*mysqldb*" are all version "MYSQL_5_7"
+
+    google_sql_database_instances(project: 'chef-inspec-gcp').where(instance_name: /mysqldb/).instance_names.each do |instance_name|
+      describe google_sql_database_instance(project: 'chef-inspec-gcp',  database: instance_name) do
+        it { should exist }
+        its('database_version') { should eq "MYSQL_5_7" }
+      end
+    end
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `instance_name`; `instance_version`; `instance_region`; `instance_zone` and `instance_state`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `instance_names` - an array of google_sql_database_instance name strings
+*  `instance_versions` - an array of google_sql_database_instance version strings
+*  `instance_regions`- an array of google_compute_region name strings
+*  `instance_zones`- an array of google_sql_database_instance name strings
+*  `instance_states`- an array of google_sql_database_instance state strings
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Cloud SQL API](https://console.cloud.google.com/projectselector/apis/api/sqladmin.googleapis.com/overview) is enabled for the project.

docs/resources/google_sql_users.md

@@ -0,0 +1,69 @@
+---
+title: About the google_sql_users Resource
+platform: gcp
+---
+
+# google\_sql\_users
+
+Use the `google_sql_users` InSpec audit resource to test properties of all, or a filtered group of, GCP sql users for a project database instance.
+
+<br>
+
+## Syntax
+
+A `google_sql_users` resource block collects GCP users by project then tests that group.
+
+    describe google_sql_users(project: 'chef-inspec-gcp', database: 'database-instance') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of users available for the project
+
+    describe google_sql_users(project: 'chef-inspec-gcp', database: 'database-instance') do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected user is available for the project
+
+    describe google_sql_users(project: 'chef-inspec-gcp') do
+      its('user_names') { should include "us-east1-b" }
+    end
+
+### Test whether any users are in status "DOWN"
+
+    describe google_sql_users(project: 'chef-inspec-gcp') do
+      its('user_statuses') { should_not include "DOWN" }
+    end
+
+### Test users exist for all database instances in a project
+
+    google_sql_database_instances(project: 'chef-inspec-gcp').instance_names.each do |instance_name|
+      describe google_sql_users(project: 'chef-inspec-gcp', database: instance_name) do
+        it { should exist }
+      end
+    end
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `user_id`; `user_name` and `user_status`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `user_namess` - an array of google sql user name strings
+*  `user_instances`- an array of google_sql_database_instance name strings
+*  `user_hosts`- an array of google sql user host strings
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Cloud SQL API](https://console.cloud.google.com/projectselector/apis/api/sqladmin.googleapis.com/overview) is enabled for the project.

libraries/google_sql_database_instance.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+require 'google/apis/sqladmin_v1beta4'
+
+module Inspec::Resources
+  class GoogleCloudSqlDatabaseInstance < GcpResourceBase
+    name 'google_sql_database_instance'
+    desc 'Verifies settings for a GCP Cloud SQL Database instance'
+
+    example "
+      describe google_sql_database_instance(project: 'chef-inspec-gcp',  database: 'my-database') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @display_name = opts[:database]
+      catch_gcp_errors do
+        @database = @gcp.gcp_client(Google::Apis::SqladminV1beta4::SQLAdminService).get_instance(opts[:project], opts[:database])
+        create_resource_methods(@database)
+      end
+    end
+
+    def exists?
+      [email protected]?
+    end
+
+    def has_ip_configuration_require_ssl?
+      return false if !defined?(@database.settings.ip_configuration.require_ssl)
+      return false if @database.settings.ip_configuration.require_ssl.nil?
+      return true if @database.settings.ip_configuration.require_ssl.to_s.casecmp('true').zero?
+      false
+    end
+
+    def authorized_networks
+      return [] if !defined?(@database.settings.ip_configuration.authorized_networks)
+      @database.settings.ip_configuration.authorized_networks
+    end
+
+    def primary_ip_address
+      return false if !defined?(@database.ip_addresses[0].ip_address)
+      @database.ip_addresses[0].ip_address
+    end
+
+    def to_s
+      "Database #{@display_name}"
+    end
+  end
+end

libraries/google_sql_database_instances.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleCloudSqlDatabaseInstances < GcpResourceBase
+    name 'google_sql_database_instances'
+    desc 'Verifies settings for GCP Cloud SQL Database instances in bulk'
+
+    example "
+      describe google_sql_database_instances(project: 'chef-inspec-gcp') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+    end
+
+    # FilterTable setup
+    filter_table_config = FilterTable.create
+    filter_table_config.add(:instance_names, field: :instance_name)
+    filter_table_config.add(:instance_versions, field: :instance_version)
+    filter_table_config.add(:instance_regions, field: :instance_region)
+    filter_table_config.add(:instance_zones, field: :instance_zone)
+    filter_table_config.add(:instance_states, field: :instance_state)
+    filter_table_config.connect(self, :fetch_data)
+
+    def fetch_data
+      instance_rows = []
+      catch_gcp_errors do
+        @databases = @gcp.gcp_client(Google::Apis::SqladminV1beta4::SQLAdminService).list_instances(opts[:project])
+      end
+      return [] if !@databases || [email protected]
+      @databases.items.map do |instance|
+        instance_rows+=[{ instance_name: instance.name,
+                          instance_version: instance.database_version,
+                          instance_region: instance.region,
+                          instance_zone: instance.gce_zone,
+                          instance_state: instance.state }]
+      end
+      @databases = instance_rows
+    end
+  end
+end

libraries/google_sql_users.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleCloudSqlUsers < GcpResourceBase
+    name 'google_sql_users'
+    desc 'Verifies settings for GCP Cloud SQL Database users in bulk'
+
+    example "
+      describe google_sql_users(project: 'chef-inspec-gcp', database: 'database') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+    end
+
+    # FilterTable setup
+    filter_table_config = FilterTable.create
+    filter_table_config.add(:user_names, field: :user_name)
+    filter_table_config.add(:user_hosts, field: :user_host)
+    filter_table_config.add(:user_instances, field: :user_instance)
+    filter_table_config.connect(self, :fetch_data)
+
+    def fetch_data
+      user_rows = []
+      catch_gcp_errors do
+        @users = @gcp.gcp_client(Google::Apis::SqladminV1beta4::SQLAdminService).list_users(opts[:project], opts[:database])
+      end
+      return [] if !@users || [email protected]
+      @users.items.map do |user|
+        user_rows+=[{ user_name: user.name,
+                      user_host: user.host,
+                      user_instance: user.instance }]
+      end
+      @users = user_rows
+    end
+  end
+end