Skip to content
This repository has been archived by the owner on Nov 14, 2024. It is now read-only.

Commit

Permalink
Merge pull request #177 from slevenick/project-iam-policy
Browse files Browse the repository at this point in the history
Project iam policy
  • Loading branch information
Stuart Paterson authored Sep 16, 2019
2 parents 8411260 + 6ab7172 commit 8d24f2b
Show file tree
Hide file tree
Showing 91 changed files with 343 additions and 92 deletions.
2 changes: 1 addition & 1 deletion docs/resources/google_compute_regions.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ describe google_compute_regions(project: 'chef-gcp-inspec') do
its('count') { should be >= 1 }
its('region_names') { should include "#{gcp_location}" }
its('region_statuses') { should_not include "DOWN" }
its('region_ids') { should include gcp_region_id }
its('region_ids') { should include "1290" }
end
```
Expand Down
4 changes: 4 additions & 0 deletions docs/resources/google_compute_subnetwork_iam_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ Properties that can be accessed from the `google_compute_subnetwork_iam_policy`

* `audit_log_configs`: The configuration for logging of each type of permission.

* `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ

* `exempted_members`: Specifies the identities that do not cause logging for this type of permission.



## GCP Permissions
Expand Down
8 changes: 8 additions & 0 deletions docs/resources/google_container_regional_cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,8 @@ Properties that can be accessed from the `google_container_regional_cluster` res

* `horizontal_pod_autoscaling`: Configuration for the horizontal pod autoscaling feature, which increases or decreases the number of replica pods a replication controller has based on the resource usage of the existing pods.

* `kubernetes_dashboard`: Configuration for the Kubernetes Dashboard. This addon is deprecated, and will be disabled in 1.15. It is recommended to use the Cloud Console to manage and monitor your Kubernetes clusters, workloads and applications.

* `network_policy_config`: Configuration for NetworkPolicy. This only tracks whether the addon is enabled or not on the Master, it does not track whether network policy is enabled for the nodes.

* `subnetwork`: The name of the Google Compute Engine subnetwork to which the cluster is connected.
Expand Down Expand Up @@ -174,6 +176,12 @@ Properties that can be accessed from the `google_container_regional_cluster` res

* `message`: Human-friendly representation of the condition

* `master_authorized_networks_config`: Configuration for controlling how IPs are allocated in the cluster

* `enabled`: Whether or not master authorized networks is enabled.

* `cidr_blocks`: Define up to 50 external networks that could access Kubernetes master through HTTPS.

* `location`: The location where the cluster is deployed


Expand Down
1 change: 1 addition & 0 deletions docs/resources/google_container_regional_clusters.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ See [google_container_regional_cluster.md](google_container_regional_cluster.md)
* `enable_tpus`: an array of `google_container_regional_cluster` enable_tpu
* `tpu_ipv4_cidr_blocks`: an array of `google_container_regional_cluster` tpu_ipv4_cidr_block
* `conditions`: an array of `google_container_regional_cluster` conditions
* `master_authorized_networks_configs`: an array of `google_container_regional_cluster` master_authorized_networks_config
* `locations`: an array of `google_container_regional_cluster` location

## Filter Criteria
Expand Down
4 changes: 4 additions & 0 deletions docs/resources/google_pubsub_subscription_iam_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ Properties that can be accessed from the `google_pubsub_subscription_iam_policy`

* `audit_log_configs`: The configuration for logging of each type of permission.

* `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ

* `exempted_members`: Specifies the identities that do not cause logging for this type of permission.



## GCP Permissions
Expand Down
4 changes: 4 additions & 0 deletions docs/resources/google_pubsub_topic_iam_policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ Properties that can be accessed from the `google_pubsub_topic_iam_policy` resour

* `audit_log_configs`: The configuration for logging of each type of permission.

* `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ

* `exempted_members`: Specifies the identities that do not cause logging for this type of permission.



## GCP Permissions
Expand Down
46 changes: 46 additions & 0 deletions docs/resources/google_resourcemanager_project_iam_policy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
title: About the google_resourcemanager_project_iam_policy resource
platform: gcp
---

## Syntax
A `google_resourcemanager_project_iam_policy` is used to test a Google Project Iam Policy resource

## Examples
```
describe google_resourcemanager_project_iam_policy(project_id: "projectId") do
it { should exist }
end
google_resourcemanager_project_iam_policy(project_id: "projectId").bindings.each do |binding|
describe binding do
its('role') { should eq 'roles/editor'}
its('members') { should include 'user:[email protected]'}
end
end
```

## Properties
Properties that can be accessed from the `google_resourcemanager_project_iam_policy` resource:

* `bindings`: Associates a list of members to a role.

* `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

* `members`: Specifies the identities requesting access for a Cloud Platform resource.

* `audit_configs`: Specifies cloud audit logging configuration for this policy.

* `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices` is a special value that covers all services.

* `audit_log_configs`: The configuration for logging of each type of permission.

* `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ

* `exempted_members`: Specifies the identities that do not cause logging for this type of permission.



## GCP Permissions

Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project.
17 changes: 10 additions & 7 deletions libraries/gcp_backend.rb
Original file line number Diff line number Diff line change
Expand Up @@ -207,32 +207,34 @@ def fetch_auth
Network::Authorization.new.from_application_default!
end

def fetch(base_url, template, var_data)
def fetch(base_url, template, var_data, request_type = 'Get')
get_request = Network::Base.new(
build_uri(base_url, template, var_data),
fetch_auth,
request_type,
)
return_if_object get_request.send
end

def fetch_all(base_url, template, var_data)
next_page(build_uri(base_url, template, var_data))
def fetch_all(base_url, template, var_data, request_type = 'Get')
next_page(build_uri(base_url, template, var_data), request_type)
end

def next_page(uri, token = nil)
def next_page(uri, request_type, token = nil)
next_hash = {}
next_hash['pageToken'] = token unless token.nil?
current_params = Hash[URI.decode_www_form(uri.query || '')].merge(next_hash)
uri.query = URI.encode_www_form(current_params)
get_request = Network::Base.new(
uri,
fetch_auth,
request_type,
)
result = JSON.parse(get_request.send.body)
next_page_token = result['nextPageToken']
return [result] if next_page_token.nil?

[result] + next_page(uri, next_page_token)
[result] + next_page(uri, request_type, next_page_token)
end

def return_if_object(response)
Expand Down Expand Up @@ -294,13 +296,14 @@ def expand_variables(template, var_data)
# A handler for authenticated network request
module Network
class Base
def initialize(link, cred)
def initialize(link, cred, request_type)
@link = link
@cred = cred
@request_type = request_type
end

def builder
Net::HTTP.const_get('Get')
Net::HTTP.const_get(@request_type)
end

def send
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
# ----------------------------------------------------------------------------
require 'google/container/property/regionalcluster_addons_config_horizontal_pod_autoscaling'
require 'google/container/property/regionalcluster_addons_config_http_load_balancing'
require 'google/container/property/regionalcluster_addons_config_kubernetes_dashboard'
require 'google/container/property/regionalcluster_addons_config_network_policy_config'
module GoogleInSpec
module Container
Expand All @@ -24,13 +25,16 @@ class RegionalClusterAddonsConfig

attr_reader :horizontal_pod_autoscaling

attr_reader :kubernetes_dashboard

attr_reader :network_policy_config

def initialize(args = nil, parent_identifier = nil)
return if args.nil?
@parent_identifier = parent_identifier
@http_load_balancing = GoogleInSpec::Container::Property::RegionalClusterAddonsConfigHttpLoadBalancing.new(args['httpLoadBalancing'], to_s)
@horizontal_pod_autoscaling = GoogleInSpec::Container::Property::RegionalClusterAddonsConfigHorizontalPodAutoscaling.new(args['horizontalPodAutoscaling'], to_s)
@kubernetes_dashboard = GoogleInSpec::Container::Property::RegionalClusterAddonsConfigKubernetesDashboard.new(args['kubernetesDashboard'], to_s)
@network_policy_config = GoogleInSpec::Container::Property::RegionalClusterAddonsConfigNetworkPolicyConfig.new(args['networkPolicyConfig'], to_s)
end

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# frozen_string_literal: false

# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in README.md and
# CONTRIBUTING.md located at the root of this package.
#
# ----------------------------------------------------------------------------
module GoogleInSpec
module Container
module Property
class RegionalClusterAddonsConfigKubernetesDashboard
attr_reader :disabled

def initialize(args = nil, parent_identifier = nil)
return if args.nil?
@parent_identifier = parent_identifier
@disabled = args['disabled']
end

def to_s
"#{@parent_identifier} RegionalClusterAddonsConfigKubernetesDashboard"
end
end
end
end
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# frozen_string_literal: false

# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in README.md and
# CONTRIBUTING.md located at the root of this package.
#
# ----------------------------------------------------------------------------
require 'google/container/property/regionalcluster_master_authorized_networks_config_cidr_blocks'
module GoogleInSpec
module Container
module Property
class RegionalClusterMasterAuthorizedNetworksConfig
attr_reader :enabled

attr_reader :cidr_blocks

def initialize(args = nil, parent_identifier = nil)
return if args.nil?
@parent_identifier = parent_identifier
@enabled = args['enabled']
@cidr_blocks = GoogleInSpec::Container::Property::RegionalClusterMasterAuthorizedNetworksConfigCidrBlocksArray.parse(args['cidrBlocks'], to_s)
end

def to_s
"#{@parent_identifier} RegionalClusterMasterAuthorizedNetworksConfig"
end
end
end
end
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# frozen_string_literal: false

# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in README.md and
# CONTRIBUTING.md located at the root of this package.
#
# ----------------------------------------------------------------------------
module GoogleInSpec
module Container
module Property
class RegionalClusterMasterAuthorizedNetworksConfigCidrBlocks
attr_reader :display_name

attr_reader :cidr_block

def initialize(args = nil, parent_identifier = nil)
return if args.nil?
@parent_identifier = parent_identifier
@display_name = args['displayName']
@cidr_block = args['cidrBlock']
end

def to_s
"#{@parent_identifier} RegionalClusterMasterAuthorizedNetworksConfigCidrBlocks"
end
end

class RegionalClusterMasterAuthorizedNetworksConfigCidrBlocksArray
def self.parse(value, parent_identifier)
return if value.nil?
return RegionalClusterMasterAuthorizedNetworksConfigCidrBlocks.new(value, parent_identifier) unless value.is_a?(::Array)
value.map { |v| RegionalClusterMasterAuthorizedNetworksConfigCidrBlocks.new(v, parent_identifier) }
end
end
end
end
end
2 changes: 1 addition & 1 deletion libraries/google_bigquery_dataset.rb
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ class Dataset < GcpResourceBase
def initialize(params)
super(params.merge({ use_http_transport: true }))
@params = params
@fetched = @connection.fetch(product_url, resource_base_url, params)
@fetched = @connection.fetch(product_url, resource_base_url, params, 'Get')
parse unless @fetched.nil?
end

Expand Down
2 changes: 1 addition & 1 deletion libraries/google_bigquery_datasets.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ def initialize(params = {})

def fetch_wrapped_resource(wrap_path)
# fetch_resource returns an array of responses (to handle pagination)
result = @connection.fetch_all(product_url, resource_base_url, @params)
result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get')
return if result.nil?

# Conversion of string -> object hash to symbol -> object hash that InSpec needs
Expand Down
2 changes: 1 addition & 1 deletion libraries/google_bigquery_table.rb
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ class Table < GcpResourceBase
def initialize(params)
super(params.merge({ use_http_transport: true }))
@params = params
@fetched = @connection.fetch(product_url, resource_base_url, params)
@fetched = @connection.fetch(product_url, resource_base_url, params, 'Get')
parse unless @fetched.nil?
end

Expand Down
2 changes: 1 addition & 1 deletion libraries/google_bigquery_tables.rb
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ def initialize(params = {})

def fetch_wrapped_resource(wrap_path)
# fetch_resource returns an array of responses (to handle pagination)
result = @connection.fetch_all(product_url, resource_base_url, @params)
result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get')
return if result.nil?

# Conversion of string -> object hash to symbol -> object hash that InSpec needs
Expand Down
2 changes: 1 addition & 1 deletion libraries/google_cloudbuild_trigger.rb
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ class Trigger < GcpResourceBase
def initialize(params)
super(params.merge({ use_http_transport: true }))
@params = params
@fetched = @connection.fetch(product_url, resource_base_url, params)
@fetched = @connection.fetch(product_url, resource_base_url, params, 'Get')
parse unless @fetched.nil?
end

Expand Down
2 changes: 1 addition & 1 deletion libraries/google_cloudbuild_triggers.rb
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ def initialize(params = {})

def fetch_wrapped_resource(wrap_path)
# fetch_resource returns an array of responses (to handle pagination)
result = @connection.fetch_all(product_url, resource_base_url, @params)
result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get')
return if result.nil?

# Conversion of string -> object hash to symbol -> object hash that InSpec needs
Expand Down
2 changes: 1 addition & 1 deletion libraries/google_cloudfunctions_cloud_function.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ class CloudFunction < GcpResourceBase
def initialize(params)
super(params.merge({ use_http_transport: true }))
@params = params
@fetched = @connection.fetch(product_url, resource_base_url, params)
@fetched = @connection.fetch(product_url, resource_base_url, params, 'Get')
parse unless @fetched.nil?
end

Expand Down
2 changes: 1 addition & 1 deletion libraries/google_cloudfunctions_cloud_functions.rb
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ def initialize(params = {})

def fetch_wrapped_resource(wrap_path)
# fetch_resource returns an array of responses (to handle pagination)
result = @connection.fetch_all(product_url, resource_base_url, @params)
result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get')
return if result.nil?

# Conversion of string -> object hash to symbol -> object hash that InSpec needs
Expand Down
Loading

0 comments on commit 8d24f2b

Please sign in to comment.