Merge pull request #45 from inspec/network-subnetwork

Added google_compute_network(s) and google_compute_subnetwork(s) resources.
inspec · Aug 29, 2018 · 8d105fd · 8d105fd
2 parents 3561fd7 + 0db00de
commit 8d105fd
Show file tree

Hide file tree

Showing 16 changed files with 596 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -75,6 +75,10 @@ The following resources are available in the InSpec GCP Profile
 - [google_compute_instance_group](docs/resources/google_compute_instance_group.md)
 - [google_compute_instance_groups](docs/resources/google_compute_instance_groups.md)
 - [google_compute_instances](docs/resources/google_compute_instances.md)
+- [google_compute_network](docs/resources/google_compute_network.md)
+- [google_compute_networks](docs/resources/google_compute_networks.md)
+- [google_compute_subnetwork](docs/resources/google_compute_subnetwork.md)
+- [google_compute_subnetworks](docs/resources/google_compute_subnetworks.md)
 - [google_compute_zone](docs/resources/google_compute_zone.md)
 - [google_compute_zones](docs/resources/google_compute_zones.md)
 - [google_container_cluster](docs/resources/google_container_cluster.md)

diff --git a/docs/resources/google_compute_network.md b/docs/resources/google_compute_network.md
@@ -0,0 +1,77 @@
+---
+title: About the google_compute_network Resource
+platform: gcp
+---
+
+# google\_compute\_network
+
+Use the `google_compute_network` InSpec audit resource to test properties of a single GCP compute network.
+
+<br>
+
+## Syntax
+
+A `google_compute_network` resource block declares the tests for a single GCP zone by project and name.
+
+    describe google_compute_network(project: 'chef-inspec-gcp',  name: 'gcp-inspec-network') do
+      it { should exist }
+      its('name') { should eq 'gcp-inspec-network' }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that a GCP compute network exists
+
+    describe google_compute_network(project: 'chef-inspec-gcp',  name: 'gcp-inspec-network') do
+      it { should exist }
+    end
+
+### Test when a GCP compute network was created
+
+    describe google_compute_network(project: 'chef-inspec-gcp',  name: 'gcp-inspec-network') do
+      its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+    end    
+
+### Test for an expected network identifier 
+
+    describe google_compute_network(project: 'chef-inspec-gcp',  name: 'gcp-inspec-network') do
+      its('id') { should eq 12345567789 }
+    end    
+
+
+### Test whether a single attached subnetwork name is correct 
+
+    describe google_compute_network(project: 'chef-inspec-gcp',  name: 'gcp-inspec-network') do
+      its ('subnetworks.count') { should eq 1 }
+      its ('subnetworks.first') { should match "subnetwork-name"}
+    end    
+
+### Test whether the network is configured to automatically create subnetworks or not
+
+    describe google_compute_network(project: 'chef-inspec-gcp',  name: 'gcp-inspec-network') do
+      its ('auto_create_subnetworks'){ should be false }
+    end    
+
+
+### Check the network routing configuration routing mode 
+
+    describe google_compute_network(project: 'chef-inspec-gcp',  name: 'gcp-inspec-network') do
+      its ('routing_config.routing_mode') { should eq "REGIONAL" }
+    end
+
+<br>
+
+## Properties
+
+*  `auto_create_subnetworks`, `creation_timestamp`, `creation_timestamp_date`, `id`, `kind`, `name`, `routing_config`, `subnetworks`
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
diff --git a/docs/resources/google_compute_networks.md b/docs/resources/google_compute_networks.md
@@ -0,0 +1,72 @@
+---
+title: About the google_compute_networks Resource
+platform: gcp
+---
+
+# google\_compute\_networks
+
+Use the `google_compute_networks` InSpec audit resource to test properties of all, or a filtered group of, GCP compute networks for a project.
+
+<br>
+
+## Syntax
+
+A `google_compute_networks` resource block collects GCP networks by project then tests that group.
+
+    describe google_compute_networks(project: 'chef-inspec-gcp') do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_network`.
+
+    google_compute_networks(project: 'chef-inspec-gcp').network_names.each do |network_name|
+      describe google_compute_network(project: 'chef-inspec-gcp',  name: network_name) do
+        its ('subnetworks.count') { should be < 10 }
+        its ('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+        its ('routing_config.routing_mode') { should eq "REGIONAL" }
+        its ('auto_create_subnetworks'){ should be false }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of networks available for the project
+
+    describe google_compute_networks(project: 'chef-inspec-gcp') do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected network identifier is present in the project 
+
+    describe google_compute_networks(project: 'chef-inspec-gcp') do
+      its('network_ids') { should include 12345678975432 }
+    end
+
+### Test that an expected network name is available for the project
+
+    describe google_compute_networks(project: 'chef-inspec-gcp') do
+      its('network_names') { should include "network-name" }
+    end
+
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `network_id` and `network_name`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `network_ids` - an array of google_compute_network identifier integers
+*  `network_names` - an array of google_compute_network name strings
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
diff --git a/docs/resources/google_compute_subnetwork.md b/docs/resources/google_compute_subnetwork.md
@@ -0,0 +1,81 @@
+---
+title: About the google_compute_subnetwork Resource
+platform: gcp
+---
+
+# google\_compute\_subnetwork
+
+Use the `google_compute_subnetwork` InSpec audit resource to test properties of a single GCP compute subnetwork.
+
+<br>
+
+## Syntax
+
+A `google_compute_subnetwork` resource block declares the tests for a single GCP subnetwork by project, region and name.
+
+    describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+      it { should exist }
+      its('name') { should eq 'gcp-inspec-subnetwork' }
+      its('region') { should match 'europe-west2' }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that a GCP compute subnetwork exists
+
+    describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+      it { should exist }
+    end
+
+### Test when a GCP compute subnetwork was created
+
+    describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+      its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+    end
+
+### Test for an expected subnetwork identifier 
+
+    describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+      its('id') { should eq 12345567789 }
+    end    
+
+### Test that a subnetwork gateway address is as expected
+
+    describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+      its('gateway_address') { should eq "10.2.0.1" }
+    end  
+
+### Test that a subnetwork IP CIDR range is as expected
+
+    describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+      its('ip_cidr_range') { should eq "10.2.0.0/29" }
+    end  
+
+### Test that a subnetwork is associated with the expected network
+
+    describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+      its('network') { should match "gcp_network_name" }
+    end  
+
+### Test whether VMs in this subnet can access Google services without assigning external IP addresses through Private Google Access
+
+    describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: 'gcp-inspec-subnetwork') do
+      its('private_ip_google_access') { should be false }
+    end
+
+<br>
+
+## Properties
+
+*  `creation_timestamp`, `creation_timestamp_date`, `gateway_address`, `id`, `ip_cidr_range`, `kind`, `name`, `network`, `private_ip_google_access`, `region`
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
diff --git a/docs/resources/google_compute_subnetworks.md b/docs/resources/google_compute_subnetworks.md
@@ -0,0 +1,80 @@
+---
+title: About the google_compute_subnetworks Resource
+platform: gcp
+---
+
+# google\_compute\_subnetworks
+
+Use the `google_compute_subnetworks` InSpec audit resource to test properties of all, or a filtered group of, GCP compute subnetworks for a project and region.
+
+<br>
+
+## Syntax
+
+A `google_compute_subnetworks` resource block collects GCP subnetworks by project and region, then tests that group.
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_subnetwork`.
+
+    google_compute_subnetworks(project: 'chef-inspec-gcp', region:'europe-west2').subnetwork_names.each do |subnetwork_name|
+      describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: name: subnetwork_name) do
+        its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+        its('ip_cidr_range') { should eq "10.2.0.0/29" }
+        its('network') { should match "gcp_network_name" }
+        its('private_ip_google_access') { should be false }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of subnetworks available for the project and region
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected subnetwork identifier is present in the project and region
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('subnetwork_ids') { should include 12345678975432 }
+    end
+
+
+### Test that an expected subnetwork name is available for the project and region
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('subnetwork_names') { should include "subnetwork-name" }
+    end
+
+### Test that an expected subnetwork network name is not present for the project and region
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('subnetwork_networks') { should not include "network-name" }
+    end
+
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `subnetwork_id`; `subnetwork_name` and `subnetwork_network`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `subnetwork_ids` - an array of google_compute_subnetwork identifier integers
+*  `subnetwork_names` - an array of google_compute_subnetwork name strings
+*  `subnetwork_networks` - an array of google_compute_network name strings
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
diff --git a/libraries/google_compute_network.rb b/libraries/google_compute_network.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleComputeNetwork < GcpResourceBase
+    name 'google_compute_network'
+    desc 'Verifies settings for a compute network'
+
+    example "
+      describe google_compute_network(project: 'chef-inspec-gcp',  name: 'gcp-inspec-network') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @display_name = opts[:name]
+      catch_gcp_errors do
+        @network = @gcp.gcp_compute_client.get_network(opts[:project], opts[:name])
+        create_resource_methods(@network)
+      end
+    end
+
+    def exists?
+      !@network.nil?
+    end
+
+    def creation_timestamp_date
+      return false if !defined?(creation_timestamp)
+      Time.parse(creation_timestamp.to_s)
+    end
+
+    def to_s
+      "Network #{@display_name}"
+    end
+  end
+end