Skip to content
This repository has been archived by the owner on Nov 14, 2024. It is now read-only.

Commit

Permalink
Inspec storage
Browse files Browse the repository at this point in the history 
Signed-off-by: Modular Magician <magic-modules@google.com>
  • Loading branch information
@slevenick
slevenick authored and Stuart Paterson committed Apr 6, 2020
1 parent 74ffa1c commit 348094a
Show file tree
Hide file tree
Showing 115 changed files with 2,385 additions and 850 deletions.
27 changes: 27 additions & 0 deletions docs/resources/google_compute_subnetwork_iam_binding.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: About the google_compute_subnetwork_iam_binding resource
platform: gcp
---

## Syntax
A `google_compute_subnetwork_iam_binding` is used to test a Google Subnetwork Iam Bindings

## Examples
```
describe google_compute_subnetwork_iam_binding(project: "project", region: "region", name: "name", role: "roles/editor") do
it { should exist }
its('members') { should include 'user:testuser@example.com' }
end
```

## Properties
Properties that can be accessed from the `google_compute_subnetwork_iam_binding` resource:

* `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

* `members`: Specifies the identities requesting access for a Cloud Platform resource.


## GCP Permissions

Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the current project.
27 changes: 27 additions & 0 deletions docs/resources/google_pubsub_subscription_iam_binding.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: About the google_pubsub_subscription_iam_binding resource
platform: gcp
---

## Syntax
A `google_pubsub_subscription_iam_binding` is used to test a Google Subscription Iam Bindings

## Examples
```
describe google_pubsub_subscription_iam_binding(project: "project", name: "name", role: "roles/editor") do
it { should exist }
its('members') { should include 'user:testuser@example.com' }
end
```

## Properties
Properties that can be accessed from the `google_pubsub_subscription_iam_binding` resource:

* `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

* `members`: Specifies the identities requesting access for a Cloud Platform resource.


## GCP Permissions

Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project.
27 changes: 27 additions & 0 deletions docs/resources/google_pubsub_topic_iam_binding.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: About the google_pubsub_topic_iam_binding resource
platform: gcp
---

## Syntax
A `google_pubsub_topic_iam_binding` is used to test a Google Topic Iam Bindings

## Examples
```
describe google_pubsub_topic_iam_binding(project: "project", name: "name", role: "roles/editor") do
it { should exist }
its('members') { should include 'user:testuser@example.com' }
end
```

## Properties
Properties that can be accessed from the `google_pubsub_topic_iam_binding` resource:

* `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

* `members`: Specifies the identities requesting access for a Cloud Platform resource.


## GCP Permissions

Ensure the [Cloud Pub/Sub API](https://console.cloud.google.com/apis/library/pubsub.googleapis.com/) is enabled for the current project.
27 changes: 27 additions & 0 deletions docs/resources/google_resourcemanager_project_iam_binding.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: About the google_resourcemanager_project_iam_binding resource
platform: gcp
---

## Syntax
A `google_resourcemanager_project_iam_binding` is used to test a Google Project Iam Bindings

## Examples
```
describe google_resourcemanager_project_iam_binding(project_id: "projectId", role: "roles/editor") do
it { should exist }
its('members') { should include 'user:testuser@example.com' }
end
```

## Properties
Properties that can be accessed from the `google_resourcemanager_project_iam_binding` resource:

* `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

* `members`: Specifies the identities requesting access for a Cloud Platform resource.


## GCP Permissions

Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project.
27 changes: 27 additions & 0 deletions docs/resources/google_runtime_config_config_iam_binding.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: About the google_runtime_config_config_iam_binding resource
platform: gcp
---

## Syntax
A `google_runtime_config_config_iam_binding` is used to test a Google Config Iam Bindings

## Examples
```
describe google_runtime_config_config_iam_binding(project: "project", name: "name", role: "roles/editor") do
it { should exist }
its('members') { should include 'user:testuser@example.com' }
end
```

## Properties
Properties that can be accessed from the `google_runtime_config_config_iam_binding` resource:

* `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

* `members`: Specifies the identities requesting access for a Cloud Platform resource.


## GCP Permissions

Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the current project.
27 changes: 27 additions & 0 deletions docs/resources/google_spanner_instance_iam_binding.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: About the google_spanner_instance_iam_binding resource
platform: gcp
---

## Syntax
A `google_spanner_instance_iam_binding` is used to test a Google Instance Iam Bindings

## Examples
```
describe google_spanner_instance_iam_binding(project: "project", name: "name", role: "roles/editor") do
it { should exist }
its('members') { should include 'user:testuser@example.com' }
end
```

## Properties
Properties that can be accessed from the `google_spanner_instance_iam_binding` resource:

* `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

* `members`: Specifies the identities requesting access for a Cloud Platform resource.


## GCP Permissions

Ensure the [Cloud Spanner API](https://console.cloud.google.com/apis/library/spanner.googleapis.com/) is enabled for the current project.
156 changes: 126 additions & 30 deletions docs/resources/google_storage_bucket.md
View file
Original file line number Diff line number Diff line change
@@ -1,56 +1,152 @@
---
title: About the google_storage_bucket Resource
title: About the google_storage_bucket resource
platform: gcp
---

# google\_storage\_bucket
## Syntax
A `google_storage_bucket` is used to test a Google Bucket resource

Use the `google_storage_bucket` InSpec audit resource to test properties of a GCP storage bucket.
## Examples
```
describe google_storage_bucket(name: bucket-name) do
it { should exist }
its('location') { should cmp 'europe-west2'.upcase }
<br>s
its('storage_class') { should eq "STANDARD" }
end
## Syntax
describe google_storage_bucket(name: "nonexistent") do
it { should_not exist }
end
```

A `google_storage_bucket` resource block declares the tests for a single GCP storage bucket by name.
## Properties
Properties that can be accessed from the `google_storage_bucket` resource:

describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
it { should exist }
its('name') { should eq 'chef-inspec-gcp-storage-bucket-abcd' }
end

<br>
* `acl`: Access controls on the bucket.

## Examples
* `bucket`: The name of the bucket.

The following examples show how to use this InSpec audit resource.
* `domain`: The domain associated with the entity.

### Test that a GCP storage bucket is in the expected location
* `email`: The email address associated with the entity.

describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
its('location') { should eq "EUROPE-WEST2" }
end
* `entity`: The entity holding the permission, in one of the following forms: user-userId user-email group-groupId group-email domain-domain project-team-projectId allUsers allAuthenticatedUsers Examples: The user liz@example.com would be user-liz@example.com. The group example@googlegroups.com would be group-example@googlegroups.com. To refer to all members of the Google Apps for Business domain example.com, the entity would be domain-example.com.

### Test that a GCP storage bucket has the expected project number
* `entity_id`: The ID for the entity

describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
its('project_number') {should eq 12345678 }
end
* `id`: The ID of the access-control entry.

### Test that a GCP storage bucket has the expected storage class
* `project_team`: The project team associated with the entity

describe google_storage_bucket(name: 'chef-inspec-gcp-storage-bucket-abcd') do
its('storage_class') { should eq 'STANDARD' }
end
* `project_number`: The project team associated with the entity

<br>
* `team`: The team.

## Properties
* `role`: The access permission for the entity.

* `cors`: The bucket's Cross-Origin Resource Sharing (CORS) configuration.

* `max_age_seconds`: The value, in seconds, to return in the Access-Control-Max-Age header used in preflight responses.

* `method`: The list of HTTP methods on which to include CORS response headers, (GET, OPTIONS, POST, etc) Note: "*" is permitted in the list of methods, and means "any method".

* `origin`: The list of Origins eligible to receive CORS response headers. Note: "*" is permitted in the list of origins, and means "any Origin".

* `response_header`: The list of HTTP headers other than the simple response headers to give permission for the user-agent to share across domains.

* `default_object_acl`: Default access controls to apply to new objects when no ACL is provided.

* `bucket`: The name of the bucket.

* `domain`: The domain associated with the entity.

* `email`: The email address associated with the entity.

* `entity`: The entity holding the permission, in one of the following forms: * user-{{userId}} * user-{{email}} (such as "user-liz@example.com") * group-{{groupId}} * group-{{email}} (such as "group-example@googlegroups.com") * domain-{{domain}} (such as "domain-example.com") * project-team-{{projectId}} * allUsers * allAuthenticatedUsers

* `entity_id`: The ID for the entity

* `generation`: The content generation of the object, if applied to an object.

* `id`: The ID of the access-control entry.

* `object`: The name of the object, if applied to an object.

* `project_team`: The project team associated with the entity

* `project_number`: The project team associated with the entity

* `team`: The team.

* `role`: The access permission for the entity.

* `id`: The ID of the bucket. For buckets, the id and name properities are the same.

* `lifecycle`: The bucket's lifecycle configuration. See https://developers.google.com/storage/docs/lifecycle for more information.

* `rule`: A lifecycle management rule, which is made of an action to take and the condition(s) under which the action will be taken.

* `action`: The action to take.

* `storage_class`: Target storage class. Required iff the type of the action is SetStorageClass.

* `type`: Type of the action. Currently, only Delete and SetStorageClass are supported.

* `condition`: The condition(s) under which the action will be taken.

* `age_days`: Age of an object (in days). This condition is satisfied when an object reaches the specified age.

* `created_before`: A date in RFC 3339 format with only the date part (for instance, "2013-01-15"). This condition is satisfied when an object is created before midnight of the specified date in UTC.

* `is_live`: Relevant only for versioned objects. If the value is true, this condition matches live objects; if the value is false, it matches archived objects.

* `matches_storage_class`: Objects having any of the storage classes specified by this condition will be matched. Values include MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, and DURABLE_REDUCED_AVAILABILITY.

* `num_newer_versions`: Relevant only for versioned objects. If the value is N, this condition is satisfied when there are at least N versions (including the live version) newer than this version of the object.

* `location`: The location of the bucket. Object data for objects in the bucket resides in physical storage within this region. Defaults to US. See the developer's guide for the authoritative list.

* `logging`: The bucket's logging configuration, which defines the destination bucket and optional name prefix for the current bucket's logs.

* `log_bucket`: The destination bucket where the current bucket's logs should be placed.

* `log_object_prefix`: A prefix for log object names.

* `metageneration`: The metadata generation of this bucket.

* `name`: The name of the bucket

* `owner`: The owner of the bucket. This is always the project team's owner group.

* `entity`: The entity, in the form project-owner-projectId.

* `entity_id`: The ID for the entity.

* `project_number`: The project number of the project the bucket belongs to.

* `storage_class`: The bucket's default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTI_REGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, and DURABLE_REDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD. For more information, see storage classes.

* `time_created`: The creation time of the bucket in RFC 3339 format.

* `updated`: The modification time of the bucket in RFC 3339 format.

* `versioning`: The bucket's versioning configuration.

* `enabled`: While set to true, versioning is fully enabled for this bucket.

* `website`: The bucket's website configuration, controlling how the service behaves when accessing bucket contents as a web site. See the Static Website Examples for more information.

* `main_page_suffix`: If the requested object path is missing, the service will ensure the path has a trailing '/', append this suffix, and attempt to retrieve the resulting object. This allows the creation of index.html objects to represent directory pages.

* `not_found_page`: If the requested object path is missing, and any mainPageSuffix object is missing, if applicable, the service will return the named object from this bucket as the content for a 404 Not Found result.

* `etag`, `id`, `kind`, `location`, `metageneration`, `name`, `project_number`, `storage_class`, `time_created`, `updated`
* `project`: A valid API project identifier.

<br>
* `predefined_default_object_acl`: Apply a predefined set of default object access controls to this bucket. Acceptable values are: - "authenticatedRead": Object owner gets OWNER access, and allAuthenticatedUsers get READER access. - "bucketOwnerFullControl": Object owner gets OWNER access, and project team owners get OWNER access. - "bucketOwnerRead": Object owner gets OWNER access, and project team owners get READER access. - "private": Object owner gets OWNER access. - "projectPrivate": Object owner gets OWNER access, and project team members get access according to their roles. - "publicRead": Object owner gets OWNER access, and allUsers get READER access.


## GCP Permissions

Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.
Ensure the [Google Cloud Storage](https://console.cloud.google.com/apis/library/storage-component.googleapis.com/) is enabled for the current project.
Loading

0 comments on commit 348094a

Please sign in to comment.