Merge pull request #51 from inspec/vm-updates

VM Updates
inspec · Sep 11, 2018 · 79350a4 · 79350a4
2 parents f2d536d + 5cfacf2
commit 79350a4
Show file tree

Hide file tree

Showing 4 changed files with 144 additions and 0 deletions.
diff --git a/docs/resources/google_compute_project_info.md b/docs/resources/google_compute_project_info.md
@@ -0,0 +1,49 @@
+---
+title: About the google_compute_project_info Resource
+platform: gcp
+---
+
+# google\_compute\_project\_info
+
+Use the `google_compute_project_info` InSpec audit resource to test GCP compute project information.
+
+<br>
+
+## Syntax
+
+A `google_compute_project_info` resource block declares the tests for GCP compute project information by project identifier.
+
+    describe google_compute_project_info(project: 'chef-inspec-gcp') do
+      its('name') { should match 'chef-inspec-gcp' }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that GCP compute project information exists
+
+    describe google_compute_project_info(project: 'chef-inspec-gcp') do
+      it { should exist }
+    end
+
+### Test that GCP compute project default service account is as expected
+
+    describe google_compute_project_info(project: 'chef-inspec-gcp') do
+      its('default_service_account') { should eq '12345-compute@developer.gserviceaccount.com' }
+    end
+
+<br>
+
+## Properties
+
+*  `common_instance_metadata`, `creation_timestamp`,  `creation_timestamp_date`, `default_service_account`, `id`, `kind`, `name`, `quotas`, `xpn_project_status`
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
diff --git a/libraries/google_compute_instance.rb b/libraries/google_compute_instance.rb
@@ -110,6 +110,40 @@ def labels_values
       labels.item.values
     end
 
+    def service_account_scopes
+      # note instances can have only one service account defined
+      return [] if !defined?(@instance.service_accounts[0].scopes)
+      @instance.service_accounts[0].scopes
+    end
+
+    def block_project_ssh_keys
+      return false if !defined?(@instance.metadata.items)
+      @instance.metadata.items.each do |element|
+        return true if element.key=='block-project-ssh-keys' and element.value.casecmp('true').zero?
+      end
+      false
+    end
+
+    def has_serial_port_disabled?
+      return false if !defined?(@instance.metadata.items)
+      @instance.metadata.items.each do |element|
+        return true if element.key=='serial-port-enable' and element.value.casecmp('false').zero?
+        return true if element.key=='serial-port-enable' and element.value=='0'
+      end
+      false
+    end
+
+    def has_disks_encrypted_with_csek?
+      return false if !defined?(@instance.disks)
+      @instance.disks.each do |disk|
+        return false if !defined?(disk.disk_encryption_key)
+        return false if disk.disk_encryption_key.nil?
+        return false if !defined?(disk.disk_encryption_key.sha256)
+        return false if disk.disk_encryption_key.sha256.nil?
+      end
+      true
+    end
+
     def exists?
       !@instance.nil?
     end

diff --git a/libraries/google_compute_project_info.rb b/libraries/google_compute_project_info.rb
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleComputeProjectInfo < GcpResourceBase
+    name 'google_compute_project_info'
+    desc 'Verifies settings for GCP Compute Project Info'
+
+    example "
+      describe google_compute_project_info(project: 'chef-inspec-gcp') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @display_name = opts[:project]
+      catch_gcp_errors do
+        @project_info = @gcp.gcp_compute_client.get_project(opts[:project])
+        create_resource_methods(@project_info)
+      end
+    end
+
+    def has_enabled_oslogin?
+      return false if !defined?(@project_info.common_instance_metadata.items)
+      @project_info.common_instance_metadata.items.each do |element|
+        return true if element.key=='enable-oslogin' and element.value.casecmp('true').zero?
+      end
+      false
+    end
+
+    def creation_timestamp_date
+      return false if !defined?(creation_timestamp)
+      Time.parse(creation_timestamp.to_s)
+    end
+
+    def exists?
+      !@project_info.nil?
+    end
+
+    def to_s
+      "Compute Project Info #{@display_name}"
+    end
+  end
+end
diff --git a/test/integration/verify/controls/google_compute_project_info.rb b/test/integration/verify/controls/google_compute_project_info.rb
@@ -0,0 +1,14 @@
+title 'Test GCP Compute Project Info'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+
+control 'gcp-compute-project-info-1.0' do
+
+  impact 1.0
+  title 'Ensure GCP Compute Project Info has the correct properties.'
+
+  describe google_compute_project_info(project: gcp_project_id) do
+    it { should exist }
+    its('name') { should eq gcp_project_id }
+  end
+end