Inspec iam gen (#2962)

Merged PR #2962.
GoogleCloudPlatform · Jan 13, 2020 · 78a66e7 · 78a66e7
1 parent ed80aef
commit 78a66e7
Show file tree

Hide file tree

Showing 14 changed files with 100 additions and 3 deletions.
diff --git a/build/ansible b/build/ansible
diff --git a/build/inspec b/build/inspec
diff --git a/products/iam/api.yaml b/products/iam/api.yaml
@@ -149,3 +149,12 @@ objects:
         name: validBeforeTime
         description: Key can only be used before this time.
         output: true
+      - !ruby/object:Api::Type::Enum
+        name: keyType
+        output: true
+        description: |
+          Specifies the type of the key. Possible values include KEY_TYPE_UNSPECIFIED, USER_MANAGED and SYSTEM_MANAGED
+        values:
+          - :KEY_TYPE_UNSPECIFIED
+          - :USER_MANAGED
+          - :SYSTEM_MANAGED
diff --git a/products/iam/inspec.yaml b/products/iam/inspec.yaml
@@ -0,0 +1,36 @@
+# Copyright 2020 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Provider::Inspec::Config
+overrides: !ruby/object:Overrides::ResourceOverrides
+  Role: !ruby/object:Overrides::Inspec::ResourceOverride
+    name: CustomRole
+    base_url: projects/{{project}}/roles?view=FULL
+    self_link: projects/{{project}}/roles/{{name}}
+    privileged: true
+  ServiceAccount: !ruby/object:Overrides::Inspec::ResourceOverride
+    privileged: true
+    properties:
+      name: !ruby/object:Overrides::Inspec::PropertyOverride
+        override_name: service_account_name
+      displayName: !ruby/object:Overrides::Inspec::PropertyOverride
+        override_name: service_account_display_name
+      uniqueId: !ruby/object:Overrides::Inspec::PropertyOverride
+        override_name: service_account_id
+      email: !ruby/object:Overrides::Inspec::PropertyOverride
+        override_name: service_account_email
+  ServiceAccountKey: !ruby/object:Overrides::Inspec::ResourceOverride
+    privileged: true
+    properties:
+      name: !ruby/object:Overrides::Inspec::PropertyOverride
+        override_name: key_name
diff --git a/templates/inspec/examples/attributes/external_attributes.yml b/templates/inspec/examples/attributes/external_attributes.yml
@@ -24,4 +24,5 @@ gcp_storage_bucket_object: bucket-with-object
 gcp_kms_key_ring_policy_name: kms-key-ring
 gcp_kms_crypto_key_name_policy: kms-key
 gcp_db_instance_name: my-database
-gcp_db_user_name: user-name
+gcp_db_user_name: user-name
+gcp_project_iam_custom_role_id: admin-role
diff --git a/templates/inspec/examples/google_iam_custom_role/google_iam_custom_role.erb b/templates/inspec/examples/google_iam_custom_role/google_iam_custom_role.erb
@@ -0,0 +1,11 @@
+<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%>
+<% gcp_project_iam_custom_role_id = "#{external_attribute('gcp_project_iam_custom_role_id', doc_generation)}" -%>
+describe google_iam_custom_role(project: <%= gcp_project_id -%>, name: <%= gcp_project_iam_custom_role_id -%>) do
+  it { should exist }
+  its('stage') { should eq 'GA' }
+  its('included_permissions') { should eq ["iam.roles.list"] }
+end
+
+describe google_iam_custom_role(project: <%= gcp_project_id -%>, name: 'nonexistent') do
+  it { should_not exist }
+end
diff --git a/templates/inspec/examples/google_iam_custom_role/google_iam_custom_role_attributes.erb b/templates/inspec/examples/google_iam_custom_role/google_iam_custom_role_attributes.erb
@@ -0,0 +1,3 @@
+gcp_project_id = attribute(:gcp_project_id, default: '<%= external_attribute('gcp_project_id') -%>', description: 'The GCP project identifier.')
+gcp_project_iam_custom_role_id = attribute(:gcp_project_iam_custom_role_id, default: '<%= external_attribute('gcp_project_iam_custom_role_id') -%>', description: 'The IAM custom role identifier.')
+gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default:0, description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
diff --git a/templates/inspec/examples/google_iam_custom_role/google_iam_custom_roles.erb b/templates/inspec/examples/google_iam_custom_role/google_iam_custom_roles.erb
@@ -0,0 +1,5 @@
+<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%>
+<% gcp_project_iam_custom_role_id = "#{external_attribute('gcp_project_iam_custom_role_id', doc_generation)}" -%>
+describe google_iam_custom_roles(project: <%= gcp_project_id -%>) do
+  its('names') { should include "projects/<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>/roles/<%= doc_generation ? "role-id" : "\#{gcp_project_iam_custom_role_id}" -%>" }
+end
diff --git a/templates/inspec/examples/google_iam_service_account/google_iam_service_account.erb b/templates/inspec/examples/google_iam_service_account/google_iam_service_account.erb
@@ -0,0 +1,10 @@
+<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%>
+<% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%>
+describe google_iam_service_account(project: <%= gcp_project_id -%>, name: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com") do
+  it { should exist }
+  its('display_name') { should cmp <%= gcp_service_account_display_name -%> }
+end
+
+describe google_iam_service_account(project: <%= gcp_project_id -%>, name: "nonexistent@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com") do
+  it { should_not exist }
+end
diff --git a/...ates/inspec/examples/google_iam_service_account/google_iam_service_account_attributes.erb b/...ates/inspec/examples/google_iam_service_account/google_iam_service_account_attributes.erb
@@ -0,0 +1,3 @@
+gcp_project_id = attribute(:gcp_project_id, default: '<%= external_attribute('gcp_project_id') -%>', description: 'The GCP project identifier.')
+gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default: '<%= external_attribute('gcp_service_account_display_name') -%>', description: 'The IAM service account display name.')
+gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default:0, description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
diff --git a/templates/inspec/examples/google_iam_service_account/google_iam_service_accounts.erb b/templates/inspec/examples/google_iam_service_account/google_iam_service_accounts.erb
@@ -0,0 +1,6 @@
+<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%>
+<% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%>
+describe google_iam_service_accounts(project: <%= gcp_project_id -%>, name: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com") do
+  its('service_account_emails') { should include "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com" }
+  its('count') { should be <= 1000 }
+end
diff --git a/templates/inspec/examples/google_iam_service_account_key/google_iam_service_account_key.erb b/templates/inspec/examples/google_iam_service_account_key/google_iam_service_account_key.erb
@@ -0,0 +1,5 @@
+<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%>
+<% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%>
+google_iam_service_account_keys(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com").key_names.each do |sa_key_name|
+	describe 
+end
diff --git a/...pec/examples/google_iam_service_account_key/google_iam_service_account_key_attributes.erb b/...pec/examples/google_iam_service_account_key/google_iam_service_account_key_attributes.erb
@@ -0,0 +1,3 @@
+gcp_project_id = attribute(:gcp_project_id, default: '<%= external_attribute('gcp_project_id') -%>', description: 'The GCP project identifier.')
+gcp_service_account_display_name = attribute(:gcp_service_account_display_name, default: '<%= external_attribute('gcp_service_account_display_name') -%>', description: 'The IAM service account display name.')
+gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default:0, description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
diff --git a/templates/inspec/examples/google_iam_service_account_key/google_iam_service_account_keys.erb b/templates/inspec/examples/google_iam_service_account_key/google_iam_service_account_keys.erb
@@ -0,0 +1,5 @@
+<% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%>
+<% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%>
+describe google_iam_service_account_keys(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com") do
+  its('count') { should be <= 1000 }
+end