Inspec resource folder

overrides/inspec/resource_override.rb

@@ -22,6 +22,8 @@ def self.attributes
         %i[
           manual
           additional_functions
+          product_url
+          privileged
         ]
       end
 
@@ -31,6 +33,10 @@ def validate
         check :manual, type: :boolean, default: false
         super
         check :additional_functions, type: String
+        check :product_url, type: String
+        # true if the resources requires organization level privileges
+        # resource manager Folder is an example of a privileged resource
+        check :privileged, type: :boolean, default: false
       end
     end
   end

products/resourcemanager/ansible.yaml

@@ -29,9 +29,13 @@ datasources: !ruby/object:Overrides::ResourceOverrides
       has_filters: false
   Lien: !ruby/object:Overrides::Ansible::ResourceOverride
     exclude: true
+  Folder: !ruby/object:Overrides::Ansible::ResourceOverride
+    exclude: true
 overrides: !ruby/object:Overrides::ResourceOverrides
   Lien: !ruby/object:Overrides::Ansible::ResourceOverride
     exclude: true
+  Folder: !ruby/object:Overrides::Ansible::ResourceOverride
+    exclude: true
   Project: !ruby/object:Overrides::Ansible::ResourceOverride
     return_if_object: |
 <%= lines(indent(compile('products/resourcemanager/helpers/ansible/return_if_object.py'), 6)) -%>

products/resourcemanager/api.yaml

@@ -175,3 +175,48 @@ objects:
         name: 'createTime'
         description: 'Time of creation'
         output: true
+  - !ruby/object:Api::Resource
+    name: 'Folder'
+    base_url: 'folders?parent={{parent}}'
+    self_link: '{{name}}'
+    collection_url_response: !ruby/object:Api::Resource::ResponseList
+      items: 'folders'
+    description: A Folder in an Organization's resource hierarchy, used to organize that Organization's resources.
+    parameters:
+      - !ruby/object:Api::Type::String
+        name: parent
+        input: true
+        required: true
+        description: |
+          The Folder’s parent's resource name. Updates to the folder's parent
+          must be performed via folders.move.
+      - !ruby/object:Api::Type::String
+        name: displayName
+        description: |
+          The folder’s display name. A folder’s display name must be unique
+          amongst its siblings, e.g. no two folders with the same parent can
+          share the same display name. The display name must start and end with
+          a letter or digit, may contain letters, digits, spaces, hyphens and
+          underscores and can be no longer than 30 characters. This is captured
+          by the regular expression: `[\p{L}\p{N}]([\p{L}\p{N}_- ]{0,28}[\p{L}\p{N}])?`.
+    properties:
+      - !ruby/object:Api::Type::String
+        name: name
+        output: true
+        description: |
+          The resource name of the Folder. Its format is folders/{folder_id},
+          for example: "folders/1234".
+      - !ruby/object:Api::Type::Enum
+        name: 'lifecycleState'
+        description: |
+          The lifecycle state of the folder. Updates to the lifecycleState
+          must be performed via folders.delete and folders.undelete.
+        output: true
+        values:
+          - :LIFECYCLE_STATE_UNSPECIFIED
+          - :ACTIVE
+          - :DELETE_REQUESTED
+      - !ruby/object:Api::Type::Time
+        name: 'createTime'
+        description: 'Time of creation'
+        output: true

products/resourcemanager/inspec.yaml

@@ -0,0 +1,30 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+--- !ruby/object:Provider::Inspec::Config
+manifest: !ruby/object:Provider::Inspec::Manifest
+  summary: 'InSpec resources for verifying GCP infrastructure'
+  description: |
+    InSpec resources for verifying GCP infrastructure
+overrides: !ruby/object:Overrides::ResourceOverrides
+  Lien: !ruby/object:Overrides::Inspec::ResourceOverride
+    exclude: true
+  Project: !ruby/object:Overrides::Inspec::ResourceOverride
+    exclude: true
+  Folder: !ruby/object:Overrides::Inspec::ResourceOverride
+    product_url: https://cloudresourcemanager.googleapis.com/v2/
+    # Creating and viewing folders requires organization level privileges
+    privileged: true
+files: !ruby/object:Provider::Config::Files
+  copy:
+    'Gemfile': 'provider/inspec/Gemfile'

products/resourcemanager/terraform.yaml

@@ -33,6 +33,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides
       post_import: templates/terraform/post_import/lien_import.erb
       pre_delete: templates/terraform/pre_delete/modify_delete_url.erb
       decoder: templates/terraform/decoders/avoid_meaningless_project_update.erb
+  Folder: !ruby/object:Overrides::Terraform::ResourceOverride
+    exclude: true
 # This is for copying files over
 files: !ruby/object:Provider::Config::Files
   # These files have templating (ERB) code that will be run.

provider/inspec.rb

@@ -125,6 +125,7 @@ def generate_inspec_test(data, name, target_folder, attribute_file_name)
         attribute_file_name: attribute_file_name,
         doc_generation: false,
         default_template: 'templates/inspec/integration_test_template.erb',
+        privileged: data[:object].privileged,
         out_file: File.join(
           target_folder,
           'integration/verify/controls',

templates/inspec/examples/attributes/external_attributes.yml

@@ -6,4 +6,5 @@ gcp_compute_disk_type: 'pd-standard'
 gcp_lb_mig1_name: 'gcp-managed-group-name'
 gcp_ext_vm_name: 'gcp_ext_vm_name'
 gcp_location: europe-west2
-gcp_network_name: gcp-inspec-network
+gcp_network_name: gcp-inspec-network
+gcp_organization_id: 190694428152

templates/inspec/examples/google_resourcemanager_folder/google_resourcemanager_folder.erb

@@ -0,0 +1,9 @@
+<% folder = grab_attributes['folder'] -%>
+describe.one do
+  google_resourcemanager_folders(parent: <%= doc_generation ? "'organizations/12345'" : "\"organizations/\#{gcp_organization_id}\"" -%>).names.each do |name|
+    describe google_resourcemanager_folder(name: name) do
+      it { should exist }
+      its('display_name') { should eq <%= doc_generation ? "'#{folder['display_name']}'" : "folder['display_name']" -%> }
+    end
+  end
+end

templates/inspec/examples/google_resourcemanager_folder/google_resourcemanager_folder_attributes.erb

@@ -0,0 +1,3 @@
+folder = attribute('folder', default: <%= grab_attributes['folder'] -%>)
+gcp_organization_id = attribute(:gcp_organization_id, default: <%= external_attribute('gcp_organization_id') -%>, description: 'The identifier of the organization that is the parent of this folder')
+gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default:0, description:'Flag to enable privileged resources requiring elevated privileges in GCP.')

templates/inspec/examples/google_resourcemanager_folder/google_resourcemanager_folders.erb

@@ -0,0 +1,8 @@
+<% folder = grab_attributes['folder'] -%>
+describe.one do
+  google_resourcemanager_folders(parent: <%= doc_generation ? "'organizations/12345'" : "\"organizations/\#{gcp_organization_id}\"" -%>).display_names.each do |display_name|
+    describe display_name do
+      it { should eq <%= doc_generation ? "'#{folder['display_name']}'" : "folder['display_name']" -%> }
+    end
+  end
+end

templates/inspec/integration_test_template.erb

@@ -14,6 +14,9 @@ control '<%= name -%>-1.0' do
   impact 1.0
   title '<%= name -%> resource test'
 
+<% if privileged -%>
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != ''}
+<% end # if privileged -%>
 <% if vcr_mode -%>
   VCR.use_cassette('<%= name -%>', :record => :<%= vcr_mode -%>) do
 <% end # if vcr_mode -%>

templates/inspec/plural_resource.erb

@@ -85,11 +85,10 @@ link_query = object.self_link_query || object.collection_url_response
     time_string ? Time.parse(time_string) : nil
   end
 
-<% base = "'#{object.self_link_url[0].join}'" -%>
   private
 
   def product_url
-    <%= base %>
+    '<%= object.product_url || object.self_link_url[0].join %>'
   end
 
   def resource_base_url

templates/inspec/singular_resource.erb

@@ -90,7 +90,7 @@ class <%= object.name -%> < GcpResourceBase
   private
 
   def product_url
-    '<%= object.self_link_url[0].join %>'
+    '<%= object.product_url || object.self_link_url[0].join %>'
   end
 
   def resource_base_url

templates/inspec/tests/integration/build/gcp-mm.tf

@@ -110,6 +110,15 @@ variable "repository" {
   type = "map"
 }
 
+variable "folder" {
+  type = "map"
+}
+
+variable "gcp_organization_id" {
+  type = "string"
+  default = "none"
+}
+
 resource "google_compute_ssl_policy" "custom-ssl-policy" {
   name            = "${var.ssl_policy["name"]}"
   min_tls_version = "${var.ssl_policy["min_tls_version"]}"
@@ -442,4 +451,10 @@ resource "google_bigquery_table" "gcp-inspec-bigquery-table" {
 resource "google_sourcerepo_repository" "gcp-inspec-sourcerepo-repository" {
   project = "${var.gcp_project_id}"
   name = "${var.repository["name"]}"
+}
+
+resource "google_folder" "inspec-gcp-folder" {
+  count = "${var.gcp_organization_id == "none" ? 0 : var.gcp_enable_privileged_resources}"
+  display_name = "${var.folder["display_name"]}"
+  parent       = "${var.gcp_organization_id}"
 }

templates/inspec/tests/integration/configuration/mm-attributes.yml

@@ -186,4 +186,7 @@ bigquery_table:
   time_partitioning_type: DAY
 
 repository:
-  name: inspec-gcp-repository
+  name: inspec-gcp-repository
+
+folder:
+  display_name: inspec-gcp-folder