PR feedback (#3307) (#370)

Signed-off-by: Modular Magician <[email protected]>
modular-magician · Apr 6, 2020 · 427d6be · 427d6be
1 parent 5596657
commit 427d6be
Show file tree

Hide file tree

Showing 41 changed files with 40 additions and 42 deletions.
diff --git a/docs/resources/google_compute_project_info.md b/docs/resources/google_compute_project_info.md
@@ -15,7 +15,6 @@ This resource has beta fields available. To retrieve these fields, include `beta
 describe google_compute_project_info(project: 'chef-gcp-inspec') do
 	it { should exist }
 	its('default_service_account') { should match "developer.gserviceaccount.com" }
-	it { should_not be_has_enabled_oslogin }
 end
 ```
 

diff --git a/test/integration/build/gcp-mm.tf b/test/integration/build/gcp-mm.tf
@@ -636,7 +636,7 @@ variable "project_sink" {
 }
 
 resource "google_logging_project_sink" "project-logging-sink" {
-  count = var.gcp_enable_privileged_resources
+  count = "${var.gcp_organization_id == "" ? 0 : var.gcp_enable_privileged_resources}"
   project = var.gcp_project_id
 
   name = var.project_sink.name
@@ -1204,7 +1204,7 @@ resource "google_compute_image" "example" {
 variable "gcp_organization_iam_custom_role_id" {}
 
 resource "google_organization_iam_custom_role" "generic_org_iam_custom_role" {
-  count = var.gcp_enable_privileged_resources
+  count       = "${var.gcp_organization_id == "" ? 0 : var.gcp_enable_privileged_resources}"
   org_id      = var.gcp_organization_id
   role_id     = var.gcp_organization_iam_custom_role_id
   title       = "GCP Inspec Generic Organization IAM Custom Role"

diff --git a/test/integration/verify/controls/google_access_context_manager_access_policies.rb b/test/integration/verify/controls/google_access_context_manager_access_policies.rb
@@ -26,7 +26,7 @@
   impact 1.0
   title 'google_access_context_manager_access_policies resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe google_access_context_manager_access_policies(org_id: gcp_organization_id) do
     its('count') { should be >= 1 }

diff --git a/test/integration/verify/controls/google_access_context_manager_access_policy.rb b/test/integration/verify/controls/google_access_context_manager_access_policy.rb
@@ -26,7 +26,7 @@
   impact 1.0
   title 'google_access_context_manager_access_policy resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe.one do
     google_access_context_manager_access_policies(org_id: gcp_organization_id).names.each do |policy_name|

diff --git a/test/integration/verify/controls/google_access_context_manager_service_perimeter.rb b/test/integration/verify/controls/google_access_context_manager_service_perimeter.rb
@@ -26,7 +26,7 @@
   impact 1.0
   title 'google_access_context_manager_service_perimeter resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe.one do
     google_access_context_manager_access_policies(org_id: gcp_organization_id).names.each do |policy_name|

diff --git a/test/integration/verify/controls/google_access_context_manager_service_perimeters.rb b/test/integration/verify/controls/google_access_context_manager_service_perimeters.rb
@@ -26,7 +26,7 @@
   impact 1.0
   title 'google_access_context_manager_service_perimeters resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe.one do
     google_access_context_manager_access_policies(org_id: gcp_organization_id).names.each do |policy_name|

diff --git a/test/integration/verify/controls/google_appengine_standard_app_version.rb b/test/integration/verify/controls/google_appengine_standard_app_version.rb
@@ -28,7 +28,7 @@
   impact 1.0
   title 'google_appengine_standard_app_version resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe google_appengine_standard_app_version(project: gcp_project_id, location: gcp_location, version_id: standardappversion['version_id'], service: standardappversion['service']) do
     it { should exist }

diff --git a/test/integration/verify/controls/google_appengine_standard_app_versions.rb b/test/integration/verify/controls/google_appengine_standard_app_versions.rb
@@ -28,7 +28,7 @@
   impact 1.0
   title 'google_appengine_standard_app_versions resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe google_appengine_standard_app_versions(project: gcp_project_id, location: gcp_location,service: standardappversion['service']) do
     its('runtimes') { should include standardappversion['runtime'] }

diff --git a/test/integration/verify/controls/google_billing_project_billing_info.rb b/test/integration/verify/controls/google_billing_project_billing_info.rb
@@ -22,7 +22,7 @@
   impact 1.0
   title 'google_billing_project_billing_info resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_billing_project_billing_info(project_id: gcp_project_id) do
     it { should exist }
 

diff --git a/test/integration/verify/controls/google_compute_project_info.rb b/test/integration/verify/controls/google_compute_project_info.rb
@@ -22,6 +22,5 @@
   describe google_compute_project_info(project: gcp_project_id) do
   	it { should exist }
   	its('default_service_account') { should match "developer.gserviceaccount.com" }
-  	it { should_not be_has_enabled_oslogin }
   end
 end
diff --git a/test/integration/verify/controls/google_iam_organization_custom_role.rb b/test/integration/verify/controls/google_iam_organization_custom_role.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_iam_organization_custom_role resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_iam_organization_custom_role(org_id: gcp_organization_id, name: gcp_organization_iam_custom_role_id) do
     it { should exist }
     its('stage') { should eq 'GA' }

diff --git a/test/integration/verify/controls/google_iam_organization_custom_roles.rb b/test/integration/verify/controls/google_iam_organization_custom_roles.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_iam_organization_custom_roles resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_iam_organization_custom_roles(org_id: gcp_organization_id) do
     its('names') { should include "organizations/#{gcp_organization_id}/roles/#{gcp_organization_iam_custom_role_id}" }
   end

diff --git a/test/integration/verify/controls/google_kms_crypto_key.rb b/test/integration/verify/controls/google_kms_crypto_key.rb
@@ -23,7 +23,7 @@
   impact 1.0
   title 'google_kms_crypto_key resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_kms_crypto_key(project: gcp_project_id, location: gcp_location, key_ring_name: gcp_kms_key_ring_policy_name, name: gcp_kms_crypto_key_name_policy) do
     it { should exist }
     its('crypto_key_name') { should cmp gcp_kms_crypto_key_name_policy }

diff --git a/test/integration/verify/controls/google_kms_crypto_keys.rb b/test/integration/verify/controls/google_kms_crypto_keys.rb
@@ -23,7 +23,7 @@
   impact 1.0
   title 'google_kms_crypto_keys resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_kms_crypto_keys(project: gcp_project_id, location: gcp_location, key_ring_name: gcp_kms_key_ring_policy_name) do
     its('count') { should be >= 1 }
     its('crypto_key_names') { should include gcp_kms_crypto_key_name_policy }

diff --git a/test/integration/verify/controls/google_kms_key_ring.rb b/test/integration/verify/controls/google_kms_key_ring.rb
@@ -22,7 +22,7 @@
   impact 1.0
   title 'google_kms_key_ring resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_kms_key_ring(project: gcp_project_id, location: gcp_location, name: gcp_kms_key_ring_policy_name) do
     it { should exist }
     its('create_time') { should be > Time.now - 365*60*60*24*10 }

diff --git a/test/integration/verify/controls/google_kms_key_rings.rb b/test/integration/verify/controls/google_kms_key_rings.rb
@@ -22,7 +22,7 @@
   impact 1.0
   title 'google_kms_key_rings resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_kms_key_rings(project: gcp_project_id, location: gcp_location) do
     its('key_ring_names'){ should include gcp_kms_key_ring_policy_name }
   end

diff --git a/test/integration/verify/controls/google_logging_folder_exclusion.rb b/test/integration/verify/controls/google_logging_folder_exclusion.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_folder_exclusion resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   # Getting folder exclusions is complicated due to the name being generated by the server.
   # This can be drastically simplified if you have the name when writing the test
   describe.one do

diff --git a/test/integration/verify/controls/google_logging_folder_exclusions.rb b/test/integration/verify/controls/google_logging_folder_exclusions.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_folder_exclusions resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   # Getting folder exclusions is complicated due to the name being generated by the server.
   # This can be drastically simplified if you have the name when writing the test
   describe.one do

diff --git a/test/integration/verify/controls/google_logging_folder_log_sink.rb b/test/integration/verify/controls/google_logging_folder_log_sink.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_folder_log_sink resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   # Getting folder sinks is complicated due to the name being generated by the server.
   # This can be drastically simplified if you have the folder name when writing the test
   describe.one do

diff --git a/test/integration/verify/controls/google_logging_folder_log_sinks.rb b/test/integration/verify/controls/google_logging_folder_log_sinks.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_folder_log_sinks resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   # Getting folder sinks is complicated due to the name being generated by the server.
   # This can be drastically simplified if you have the folder name when writing the test
   describe.one do

diff --git a/test/integration/verify/controls/google_logging_organization_log_sink.rb b/test/integration/verify/controls/google_logging_organization_log_sink.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_organization_log_sink resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_logging_organization_log_sink(organization: gcp_organization_id, name: org_sink['name']) do
     it { should exist }
     its('filter') { should cmp org_sink['filter'] }

diff --git a/test/integration/verify/controls/google_logging_organization_log_sinks.rb b/test/integration/verify/controls/google_logging_organization_log_sinks.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_organization_log_sinks resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_logging_organization_log_sinks(organization: gcp_organization_id) do
     its('names') { should include org_sink['name'] }
   end

diff --git a/test/integration/verify/controls/google_logging_project_exclusion.rb b/test/integration/verify/controls/google_logging_project_exclusion.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_project_exclusion resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe google_logging_project_exclusion(project: gcp_project_id, name: project_exclusion['name']) do
   	it { should exist }

diff --git a/test/integration/verify/controls/google_logging_project_exclusions.rb b/test/integration/verify/controls/google_logging_project_exclusions.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_project_exclusions resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe google_logging_project_exclusions(project: gcp_project_id) do
     its('names'){ should include project_exclusion['name'] }

diff --git a/test/integration/verify/controls/google_logging_project_sink.rb b/test/integration/verify/controls/google_logging_project_sink.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_project_sink resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_logging_project_sink(project: gcp_project_id, name: project_sink['name']) do
     it { should exist }
     its('filter') { should cmp project_sink['filter'] }

diff --git a/test/integration/verify/controls/google_logging_project_sinks.rb b/test/integration/verify/controls/google_logging_project_sinks.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_logging_project_sinks resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_logging_project_sinks(project: gcp_project_id) do
     its('names') { should include project_sink['name'] }
   end

diff --git a/test/integration/verify/controls/google_organization.rb b/test/integration/verify/controls/google_organization.rb
@@ -20,7 +20,7 @@
   impact 1.0
   title 'google_organization resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe google_organization(name: "organizations/#{gcp_organization_id}") do
     its('name') { should eq "organizations/#{gcp_organization_id}" }

diff --git a/test/integration/verify/controls/google_organizations.rb b/test/integration/verify/controls/google_organizations.rb
@@ -20,7 +20,7 @@
   impact 1.0
   title 'google_organizations resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
 
   describe google_organizations do
     its('names') { should include "organizations/#{gcp_organization_id}" }

diff --git a/test/integration/verify/controls/google_project_iam_custom_role.rb b/test/integration/verify/controls/google_project_iam_custom_role.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_project_iam_custom_role resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_project_iam_custom_role(project: gcp_project_id, name: gcp_project_iam_custom_role_id) do
     it { should exist }
     its('stage') { should eq 'GA' }

diff --git a/test/integration/verify/controls/google_project_iam_custom_roles.rb b/test/integration/verify/controls/google_project_iam_custom_roles.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_project_iam_custom_roles resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_project_iam_custom_roles(project: gcp_project_id) do
     its('names') { should include "projects/#{gcp_project_id}/roles/#{gcp_project_iam_custom_role_id}" }
   end

diff --git a/test/integration/verify/controls/google_resourcemanager_folder.rb b/test/integration/verify/controls/google_resourcemanager_folder.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_resourcemanager_folder resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe.one do
     google_resourcemanager_folders(parent: "organizations/#{gcp_organization_id}").names.each do |name|
       describe google_resourcemanager_folder(name: name) do

diff --git a/test/integration/verify/controls/google_resourcemanager_folders.rb b/test/integration/verify/controls/google_resourcemanager_folders.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_resourcemanager_folders resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe.one do
     google_resourcemanager_folders(parent: "organizations/#{gcp_organization_id}").display_names.each do |display_name|
       describe display_name do

diff --git a/test/integration/verify/controls/google_service_account.rb b/test/integration/verify/controls/google_service_account.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_service_account resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_service_account(project: gcp_project_id, name: "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do
     it { should exist }
     its('display_name') { should cmp gcp_service_account_display_name }

diff --git a/test/integration/verify/controls/google_service_account_key.rb b/test/integration/verify/controls/google_service_account_key.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_service_account_key resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   google_service_account_keys(project: gcp_project_id, service_account: "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com").key_names.each do |sa_key_name|
   	describe 
   end

diff --git a/test/integration/verify/controls/google_service_account_keys.rb b/test/integration/verify/controls/google_service_account_keys.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_service_account_keys resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_service_account_keys(project: gcp_project_id, service_account: "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do
     its('count') { should be <= 1000 }
   end

diff --git a/test/integration/verify/controls/google_service_accounts.rb b/test/integration/verify/controls/google_service_accounts.rb
@@ -21,7 +21,7 @@
   impact 1.0
   title 'google_service_accounts resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_service_accounts(project: gcp_project_id, name: "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do
     its('service_account_emails') { should include "#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com" }
     its('count') { should be <= 1000 }

diff --git a/test/integration/verify/controls/google_storage_bucket_acl.rb b/test/integration/verify/controls/google_storage_bucket_acl.rb
@@ -22,7 +22,7 @@
   impact 1.0
   title 'google_storage_bucket_acl resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_storage_bucket_acl(bucket: gcp_storage_bucket_acl, entity: "user-#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do
     it { should exist }
     its('role') { should cmp "OWNER" }

diff --git a/test/integration/verify/controls/google_storage_bucket_object.rb b/test/integration/verify/controls/google_storage_bucket_object.rb
@@ -23,7 +23,7 @@
   impact 1.0
   title 'google_storage_bucket_object resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_storage_bucket_object(bucket: gcp_storage_bucket_object, object: gcp_storage_bucket_object_name) do
     it { should exist }
     its('size.to_i') { should be > 0 }

diff --git a/test/integration/verify/controls/google_storage_bucket_objects.rb b/test/integration/verify/controls/google_storage_bucket_objects.rb
@@ -23,7 +23,7 @@
   impact 1.0
   title 'google_storage_bucket_objects resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_storage_bucket_objects(bucket: gcp_storage_bucket_object) do
   	its('object_names') { should include gcp_storage_bucket_object_name }
   	its('count') { should be <= 10 }

diff --git a/test/integration/verify/controls/google_storage_default_object_acl.rb b/test/integration/verify/controls/google_storage_default_object_acl.rb
@@ -22,7 +22,7 @@
   impact 1.0
   title 'google_storage_default_object_acl resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_storage_default_object_acl(bucket: gcp_storage_bucket_name, entity: "user-#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do
     it { should exist }
     its('role') { should cmp "OWNER" }

diff --git a/test/integration/verify/controls/google_storage_object_acl.rb b/test/integration/verify/controls/google_storage_object_acl.rb
@@ -23,7 +23,7 @@
   impact 1.0
   title 'google_storage_object_acl resource test'
 
-  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != '' }
   describe google_storage_object_acl(bucket: gcp_storage_bucket_object, object: gcp_storage_bucket_object_name, entity: "user-#{gcp_service_account_display_name}@#{gcp_project_id}.iam.gserviceaccount.com") do
     it { should exist }
     its('role') { should cmp "OWNER" }