Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding google_user(s) and project alert policy resources #59

Merged
merged 9 commits into from
Oct 2, 2018
78 changes: 78 additions & 0 deletions docs/resources/google_project_alert_policies.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
title: About the google_project_alert_policies Resource
platform: gcp
---

# google\_compute\_alert\_policies

Use the `google_project_alert_policies` InSpec audit resource to test properties of all, or a filtered group of, GCP project alert policies.

<br>

## Syntax

A `google_project_alert_policies` resource block collects GCP project alert policies by project then tests that group.

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
it { should exist }
end

Use this InSpec resource to enumerate IDs then test in-depth using `google_project_alert_policy`.

google_project_alert_policies(project: 'chef-inspec-gcp').policy_names.each do |policy_name|
describe google_project_alert_policy(name: policy_name) do
it { should exist }
it { should be_enabled }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of project alert policies available for the project

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
its('count') { should be <= 100}
end

### Test that an expected policy name is available for the project

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
its('policy_names') { should include 'projects/spaterson-project/alertPolicies/9271751234503117449' }
end

### Test whether any expected policy display name is available for the project

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
its('policy_display_names') { should_not include 'banned policy' }
end

### Ensure no existing policies are inactive

describe google_project_alert_policies(project: 'chef-inspec-gcp') do
its('policy_enabled_states') { should_not include false }
end


<br>

## Filter Criteria

This resource supports the following filter criteria: `policy_name`; `policy_display_name`; `policy_filter_list` and `policy_enabled_state`. Any of these may be used with `where`, as a block or as a method.

## Properties

* `policy_names` - an array of google_project_alert_policy name strings
* `policy_display_names` - an array of google_project_alert_policy display name strings
* `policy_enabled_states`- an array of google_project_alert_policy enabled status booleans
* `policy_filter_lists`- an array of google_project_alert_policy_condition filter string arrays

<br>


## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.
49 changes: 49 additions & 0 deletions docs/resources/google_project_alert_policy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
title: About the google_project_alert_policy Resource
platform: gcp
---

# google\_project\_alert\_policy

Use the `google_project_alert_policy` InSpec audit resource to test properties of a single GCP project alert policy.

<br>

## Syntax

A `google_project_alert_policy` resource block declares the tests for a single GCP project alert policy by name.

describe google_project_alert_policy(name: 'projects/spaterson-project/alertPolicies/9271751234503117449') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP alert policy is enabled

describe google_project_alert_policy(name: 'projects/spaterson-project/alertPolicies/9271751234503117449') do
it { should be_enabled }
end

### Test that a GCP compute alert policy display name is correct

describe google_project_alert_policy(name: 'projects/spaterson-project/alertPolicies/9271751234503117449') do
its('display_name') { should eq 'policy name' }
end

<br>

## Properties

* `combiner`, `conditions`, `creation_record`, `display_name`, `enabled`, `mutation_record`, `name`

<br>


## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.
50 changes: 50 additions & 0 deletions docs/resources/google_project_alert_policy_condition.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: About the google_project_alert_policy_condition Resource
platform: gcp
---

# google\_project\_alert\_policy\_condition

Use the `google_project_alert_policy_condition` InSpec audit resource to test properties of a single GCP project alert policy condition.

<br>

## Syntax

A `google_project_alert_policy_condition` resource block declares the tests for a single GCP project alert policy condition by name and filter.

describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.


### Test that a GCP project alert policy condition has a particular threshold value

describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do
its('condition_threshold_value'){ should eq 0.001 }
end

### Test that a GCP project alert policy condition has a particular aggregation alignment period

describe google_project_alert_policy_condition(name: 'projects/spaterson-project/alertPolicies/9271751234503117449', filter 'project=\"spaterson-project\"') do
its('aggregation_alignment_period'){ should eq '60s' }
end

<br>

## Properties

* `condition_threshold_value`, `aggregation_alignment_period`, `aggregation_per_series_aligner`, `aggregation_cross_series_reducer`

<br>


## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.
5 changes: 3 additions & 2 deletions docs/resources/google_project_metrics.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,12 +55,13 @@ The following examples show how to use this InSpec audit resource.

## Filter Criteria

This resource supports the following filter criteria: `metric_name` and `metric_filter`. Either of these may be used with `where`, as a block or as a method.
This resource supports the following filter criteria: `metric_name`; `metric_type` and `metric_filter`. Either of these may be used with `where`, as a block or as a method.

## Properties

* `metric_names` - an array of google_project_metric name strings
* `metric_filters`- an array of google_project_metric filters
* `metric_filters`- an array of google_project_metric filter strings
* `metric_types` - an array of google_project_metric type strings

<br>

Expand Down
61 changes: 61 additions & 0 deletions docs/resources/google_user.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
---
title: About the google_user Resource
platform: gcp
---

# google\_user

Use the `google_user` InSpec audit resource to test properties of a single GCP user.

<br>

## Syntax

A `google_user` resource block declares the tests for a single GCP user by principal email address or immutable ID.

describe google_user(user_key: '[email protected]') do
it { should exist }
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that a GCP user with specified ID exists

describe google_user(user_key: '110491234567894702010') do
it { should exist }
end

### Test that a GCP user has expected full name

describe google_user(user_key: '110491234567894702010') do
its('name.full_name') { should eq "Bill S. Preston Esq." }
end

### Test that a GCP user has MFA enabled

describe google_user(user_key: '[email protected]') do
it { should have_mfa_enabled }
end

### Test that a GCP user is suspended or not

describe google_user(user_key: '[email protected]') do
it { should_not be_suspended }
end

<br>

## Properties

* `agreed_to_terms`, `archived`, `change_password_at_next_login`, `creation_time`, `customer_id`, `emails`, `etag`, `id`, `include_in_global_address_list`, `ip_whitelisted`, `is_admin`, `is_delegated_admin`, `is_enforced_in2_sv`, `is_enrolled_in2_sv`, `is_mailbox_setup`, `kind`, `last_login_time`, `name`, `non_editable_aliases`, `org_unit_path`, `primary_email`, `suspended`

<br>


## GCP Permissions

Ensure the G Suite Admin SDK [Directory API](https://developers.google.com/admin-sdk/directory/) is enabled and you have sufficient privileges to list users.
78 changes: 78 additions & 0 deletions docs/resources/google_users.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
title: About the google_users Resource
platform: gcp
---

# google\_users

Use the `google_users` InSpec audit resource to test properties of all, or a filtered group of, GCP users.

<br>

## Syntax

A `google_users` resource block collects GCP users for the specified customer. As documented [here](https://developers.google.com/admin-sdk/directory/v1/reference/users/list), this defaults to the `my_customer` alias to represent your account's `customerId`.

describe google_users(customer: 'my_customer') do
it { should exist }
end

The `domain` argument can optionally be provided to get fields from only one domain. Either the customer or the domain parameter must be provided.

describe google_users(domain: 'my_domain.com') do
it { should exist }
end

Use this InSpec resource to enumerate IDs then test in-depth using `google_user`.

google_users(customer: 'my_customer').user_ids.each do |user_id|
describe google_user(user_key: user_id) do
it { should exist }
it { should_not be_suspended }
end
end

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of users available for the project

describe google_users(customer: 'my_customer') do
its('count') { should be <= 100}
end

### Test that an expected user is available for the project

describe google_users(customer: 'my_customer') do
its('user_names') { should include "Monsieur Happy" }
end

### Test that a subset of all users with name matching "Batman" exists

google_users(customer: 'my_customer').where(user_full_name: /Batman/).user_ids.each do |user_id|
describe google_user(user_key: user_id) do
it { should exist }
end
end

<br>

## Filter Criteria

This resource supports the following filter criteria: `user_id`; `user_full_name` and `user_email`. Any of these may be used with `where`, as a block or as a method.

## Properties

* `user_ids` - an array of google_user identifier integers
* `user_full_names` - an array of google_user full name strings
* `user_emails`- an array of google_user primary email address strings

<br>


## GCP Permissions

Ensure the G Suite Admin SDK [Directory API](https://developers.google.com/admin-sdk/directory/) is enabled and you have sufficient privileges to list users.
1 change: 1 addition & 0 deletions libraries/google_compute_instance.rb
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ def block_project_ssh_keys
return false if !defined?(@instance.metadata.items)
@instance.metadata.items.each do |element|
return true if element.key=='block-project-ssh-keys' and element.value.casecmp('true').zero?
return true if element.key=='block-project-ssh-keys' and element.value=='1'
end
false
end
Expand Down
2 changes: 2 additions & 0 deletions libraries/google_compute_network.rb
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ def legacy?
return false if @network.auto_create_subnetworks
return false if !defined?(@network.gateway_i_pv4)
return false if !defined?(@network.i_pv4_range)
return false if @network.i_pv4_range.nil?
return false if @network.gateway_i_pv4.nil?
true
end

Expand Down
9 changes: 8 additions & 1 deletion libraries/google_container_cluster.rb
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@ def has_legacy_abac_disabled?
def has_master_authorized_networks_enabled?
return false if !defined?(@cluster.master_authorized_networks_config)
return false if @cluster.master_authorized_networks_config.to_h.empty?
return true if @cluster.master_authorized_networks_config.to_h=={ 'enabled': true }
return false if !defined?(@cluster.master_authorized_networks_config.enabled)
return true if @cluster.master_authorized_networks_config.enabled == true
false
end

Expand Down Expand Up @@ -96,6 +97,12 @@ def has_pod_security_policy_config?
false
end

def private_cluster?
return false if !defined?(@cluster.private_cluster)
return true if @cluster.private_cluster==true
false
end

def exists?
[email protected]?
end
Expand Down
Loading