Skip to content
This repository has been archived by the owner on Nov 14, 2024. It is now read-only.

Commit

Permalink
Merge pull request #301 from modular-magician/codegen-pr-2956
Browse files Browse the repository at this point in the history 
Add generation for project_sink, project_exclusion for InSpec
  • Loading branch information
@slevenick
slevenick authored Jan 13, 2020
2 parents 256be45 + d689043 commit 897595a
Show file tree
Hide file tree
Showing 15 changed files with 524 additions and 286 deletions.
55 changes: 20 additions & 35 deletions docs/resources/google_logging_project_exclusion.md
View file
Original file line number Diff line number Diff line change
@@ -1,55 +1,40 @@
---
title: About the google_logging_project_exclusion Resource
title: About the google_logging_project_exclusion resource
platform: gcp
---

# google\_logging\_project\_exclusion

Use the `google_logging_project_exclusion` InSpec audit resource to test properties of a single GCP logging project exclusion.

<br>

## Syntax

A `google_logging_project_exclusion` resource block declares the tests for a single GCP logging project exclusion by project and exclusion name.

describe google_logging_project_exclusion(project: 'chef-inspec-gcp', exclusion: 'exclusion-name-abcd') do
it { should exist }
end

<br>
A `google_logging_project_exclusion` is used to test a Google ProjectExclusion resource

## Examples
```
The following examples show how to use this InSpec audit resource.

### Test that a GCP project logging exclusion name is as expected

describe google_logging_project_exclusion(project: 'chef-inspec-gcp', exclusion: 'exclusion-name-abcd') do
its('name') { should eq 'exclusion-name-abcd' }
end
describe google_logging_project_exclusion(project: 'chef-gcp-inspec', name: 'inspec-project-exclusion') do
it { should exist }
its('description'){ should cmp 'My project exclusion description' }
its('filter'){ should cmp 'resource.type = gce_instance AND severity <= DEBUG' }
end
### Test that a GCP project logging exclusion filter is set correctly
describe google_logging_project_exclusion(project: 'chef-gcp-inspec', name: 'nonexistent') do
it { should_not exist }
end
```

describe google_logging_project_exclusion(project: 'chef-inspec-gcp', exclusion: 'exclusion-name-abcd') do
its('filter') { should eq 'resource.type = gce_instance AND severity <= DEBUG' }
end
## Properties
Properties that can be accessed from the `google_logging_project_exclusion` resource:

### Test that a GCP project logging exclusion description is as expected

describe google_logging_project_exclusion(project: 'chef-inspec-gcp', exclusion: 'exclusion-name-abcd') do
its('description') { should eq 'Exclude GCE instance debug logs' }
end
* `project`: Id of the project that this exclusion applies to.

<br>
* `name`: Name of the exclusion, specified by the server during create.

## Properties
* `description`: A user provided description of this exclusion.

* `description`, `filter`, `name`
* `filter`: An advanced logs filter. The only exported log entries are those that are in the resource owning the sink and that match the filter.

<br>
* `disabled`: If set to true then this exclusion is disabled and it does not exclude any log entries.


## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.
Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project.
33 changes: 33 additions & 0 deletions docs/resources/google_logging_project_exclusions.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
title: About the google_logging_project_exclusions resource
platform: gcp
---

## Syntax
A `google_logging_project_exclusions` is used to test a Google ProjectExclusion resource

## Examples
```
describe google_logging_project_exclusions(project: 'chef-gcp-inspec') do
its('names'){ should include 'inspec-folder-exclusion' }
end
```

## Properties
Properties that can be accessed from the `google_logging_project_exclusions` resource:

See [google_logging_project_exclusion.md](google_logging_project_exclusion.md) for more detailed information
* `projects`: an array of `google_logging_project_exclusion` project
* `names`: an array of `google_logging_project_exclusion` name
* `descriptions`: an array of `google_logging_project_exclusion` description
* `filters`: an array of `google_logging_project_exclusion` filter
* `disableds`: an array of `google_logging_project_exclusion` disabled

## Filter Criteria
This resource supports all of the above properties as filter criteria, which can be used
with `where` as a block or a method.

## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project.
64 changes: 20 additions & 44 deletions docs/resources/google_logging_project_sink.md
View file
Original file line number Diff line number Diff line change
@@ -1,64 +1,40 @@
---
title: About the google_compute_zone Resource
title: About the google_logging_project_sink resource
platform: gcp
---

# google\_logging\_project\_sink

Use the `google_logging_project_sink` InSpec audit resource to test properties of a single GCP logging project sink.

<br>

## Syntax

A `google_logging_project_sink` resource block declares the tests for a single GCP logging project sink by project and sink name.

describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do
it { should exist }
its('name') { should eq 'sink-name-abcd' }
end

<br>
A `google_logging_project_sink` is used to test a Google ProjectSink resource

## Examples
```
describe google_logging_project_sink(project: 'chef-gcp-inspec', name: 'inspec-gcp-org-sink') do
it { should exist }
its('filter') { should cmp 'resource.type = gce_instance AND severity = DEBUG' }
end
The following examples show how to use this InSpec audit resource.

describe google_logging_project_sink(project: 'chef-gcp-inspec', name: 'nonexistent') do
it { should_not exist }
end
```

### Test that a GCP project logging sink destination is correct

describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do
its('destination') { should eq 'storage.googleapis.com/gcp-inspec-logging-bucket' }
end

### Test that a GCP project logging sink filter is correct

describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do
its('filter') { should eq "resource.type = gce_instance AND resource.labels.instance_id = \"12345678910123123\"" }
end

### Test a GCP project logging sink output version format

describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do
its('output_version_format') { should eq "V2" }
end
## Properties
Properties that can be accessed from the `google_logging_project_sink` resource:

### Test a GCP project logging sink writer identity is as expected

describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: 'sink-name-abcd') do
its('writer_identity') { should eq "serviceAccount:my-logging-service-account.iam.gserviceaccount.com" }
end
* `project`: Id of the project that this sink belongs to.

* `name`: Name of the log sink.

<br>
* `filter`: An advanced logs filter. The only exported log entries are those that are in the resource owning the sink and that match the filter.

## Properties
* `destination`: The export destination.

* `destination`, `filter`, `name`, `output_version_format`, `writer_identity`
* `writer_identity`: An IAM identity—a service account or group—under which Logging writes the exported log entries to the sink's destination. This field is set by sinks.create and sinks.update based on the value of uniqueWriterIdentity in those methods.

<br>
* `include_children`: If the field is false, the default, only the logs owned by the sink's parent resource are available for export. If the field is true, then logs from all the projects, folders, and billing accounts contained in the sink's parent resource are also available for export. Whether a particular log entry from the children is exported depends on the sink's filter expression.


## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.
Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project.
82 changes: 19 additions & 63 deletions docs/resources/google_logging_project_sinks.md
View file
Original file line number Diff line number Diff line change
@@ -1,77 +1,33 @@
---
title: About the google_logging_project_sinks Resource
title: About the google_logging_project_sinks resource
platform: gcp
---

# google\_logging\_project\_sinks

Use the `google_logging_project_sinks` InSpec audit resource to test properties of all, or a filtered group of, GCP compute project logging sinks for a project.

<br>

## Syntax

A `google_logging_project_sinks` resource block collects GCP project logging sinks by project then tests that group.

describe google_logging_project_sinks(project: 'chef-inspec-gcp') do
it { should exist }
end

Use this InSpec resource to enumerate IDs then test in-depth using `google_logging_project_sink`.

google_logging_project_sinks(project: 'chef-inspec-gcp').sink_names.each do |sink_name|
describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: sink_name) do
it { should exist }
end
end

<br>
A `google_logging_project_sinks` is used to test a Google ProjectSink resource

## Examples

The following examples show how to use this InSpec audit resource.

### Test that there are no more than a specified number of sinks available for the project

describe google_logging_project_sinks(project: 'chef-inspec-gcp') do
its('count') { should be <= 100}
end

### Test that an expected sink name is available for the project

describe google_logging_project_sinks(project: 'chef-inspec-gcp') do
its('sink_names') { should include "my-sink" }
end

### Test that an expected sink destination is available for the project

describe google_logging_project_sinks(project: 'chef-inspec-gcp') do
its('sink_destinations') { should include "storage.googleapis.com/a-logging-bucket" }
end

### Test that a subset of all sinks matching "project*" have a particular writer identity

google_logging_project_sinks(project: 'chef-inspec-gcp').where(sink_name: /project/).sink_names.each do |sink_name|
describe google_logging_project_sink(project: 'chef-inspec-gcp', sink: sink_name) do
its('writer_identity') { should eq "serviceAccount:my-logging-service-account.iam.gserviceaccount.com" }
end
end

<br>

## Filter Criteria

This resource supports the following filter criteria: `sink_name`; `sink_filter` and `sink_destination`. Any of these may be used with `where`, as a block or as a method.
```
describe google_logging_project_sinks(project: 'chef-gcp-inspec') do
its('names') { should include 'inspec-gcp-org-sink' }
end
```

## Properties
Properties that can be accessed from the `google_logging_project_sinks` resource:

* `sink_names` - an array of google_logging_project_sink name strings
* `sink_destinations`- an array of google_logging_project_sink destinations
* `sink_filters`- an array of google_logging_project_sink filters

<br>
See [google_logging_project_sink.md](google_logging_project_sink.md) for more detailed information
* `projects`: an array of `google_logging_project_sink` project
* `names`: an array of `google_logging_project_sink` name
* `filters`: an array of `google_logging_project_sink` filter
* `destinations`: an array of `google_logging_project_sink` destination
* `writer_identities`: an array of `google_logging_project_sink` writer_identity
* `include_children`: an array of `google_logging_project_sink` include_children

## Filter Criteria
This resource supports all of the above properties as filter criteria, which can be used
with `where` as a block or a method.

## GCP Permissions

Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/api/logging.googleapis.com/) is enabled for the project.
Ensure the [Stackdriver Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com/) is enabled for the current project.
91 changes: 59 additions & 32 deletions libraries/google_logging_project_exclusion.rb
View file
Original file line number Diff line number Diff line change
@@ -1,36 +1,63 @@
# frozen_string_literal: true
# frozen_string_literal: false

# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in README.md and
# CONTRIBUTING.md located at the root of this package.
#
# ----------------------------------------------------------------------------
require 'gcp_backend'
require 'google/apis/logging_v2'

module Inspec::Resources
class GoogleLoggingProjectExclusion < GcpResourceBase
name 'google_logging_project_exclusion'
desc 'Verifies settings for a project logging exclusion'

example "
describe google_logging_project_exclusion(project: 'chef-inspec-gcp', exclusion: 'exclusion-name-abcd') do
it { should exist }
end
"

def initialize(opts = {})
# Call the parent class constructor
super(opts)
@project = opts[:project]
@exclusion = opts[:exclusion]
catch_gcp_errors do
@logging_exclusion = @gcp.gcp_client(Google::Apis::LoggingV2::LoggingService).get_project_exclusion("projects/#{opts[:project]}/exclusions/#{opts[:exclusion]}")
create_resource_methods(@logging_exclusion)
end
end

def exists?
!@logging_exclusion.nil?
end

def to_s
"Logging Project Exclusion #{@exclusion}"
end

# A provider to manage Stackdriver Logging resources.
class LoggingProjectExclusion < GcpResourceBase
name 'google_logging_project_exclusion'
desc 'ProjectExclusion'
supports platform: 'gcp'

attr_reader :params
attr_reader :project
attr_reader :name
attr_reader :description
attr_reader :filter
attr_reader :disabled

def initialize(params)
super(params.merge({ use_http_transport: true }))
@params = params
@fetched = @connection.fetch(product_url, resource_base_url, params, 'Get')
parse unless @fetched.nil?
end

def parse
@project = @fetched['project']
@name = @fetched['name']
@description = @fetched['description']
@filter = @fetched['filter']
@disabled = @fetched['disabled']
end

def exists?
!@fetched.nil?
end

def to_s
"ProjectExclusion #{@params[:name]}"
end

private

def product_url
'https://logging.googleapis.com/v2/'
end

def resource_base_url
'projects/{{project}}/exclusions/{{name}}'
end
end
Loading

0 comments on commit 897595a

Please sign in to comment.