Added several more resources, details below.

- Added google_storage_buckets plural resource.
- Minor updates to README, projects, firewalls and zones documentation.
- Added container clusters plural resource.
- Added container node pools plural resource.

Signed-off-by: Stuart Paterson <spaterson@chef.io>

README.md

@@ -58,21 +58,25 @@ supports:
 
 The following resources are available in the InSpec GCP Profile
 
-- [google_project_iam_custom_role](docs/resources/google_project_iam_custom_role.md)
-- [google_compute_instance](docs/resources/google_compute_instance.md)
-- [google_service_account](docs/resources/google_service_account.md)
-- [google_container_cluster](docs/resources/google_container_cluster.md)
-- [google_compute_firewalls](docs/resources/google_compute_firewalls.md)
-- [google_project](docs/resources/google_project.md)
 - [google_compute_address](docs/resources/google_compute_address.md)
 - [google_compute_firewall](docs/resources/google_compute_firewall.md)
+- [google_compute_firewalls](docs/resources/google_compute_firewalls.md)
 - [google_compute_image](docs/resources/google_compute_image.md)
+- [google_compute_instance](docs/resources/google_compute_instance.md)
 - [google_compute_instance_group](docs/resources/google_compute_instance_group.md)
-- [google_compute_zones](docs/resources/google_compute_zones.md)
-- [google_compute_zone](docs/resources/google_compute_zone.md)
 - [google_compute_instances](docs/resources/google_compute_instances.md)
-- [google_storage_bucket](docs/resources/google_storage_bucket.md)
+- [google_compute_zone](docs/resources/google_compute_zone.md)
+- [google_compute_zones](docs/resources/google_compute_zones.md)
+- [google_container_cluster](docs/resources/google_container_cluster.md)
+- [google_container_clusters](docs/resources/google_container_clusters.md)
 - [google_container_node_pool](docs/resources/google_container_node_pool.md)
+- [google_container_node_pools](docs/resources/google_container_node_pools.md)
+- [google_project](docs/resources/google_project.md)
+- [google_project_iam_custom_role](docs/resources/google_project_iam_custom_role.md)
+- [google_projects](docs/resources/google_projects.md)
+- [google_service_account](docs/resources/google_service_account.md)
+- [google_storage_bucket](docs/resources/google_storage_bucket.md)
+- [google_storage_buckets](docs/resources/google_storage_buckets.md)
 
 ## Test inspec-gcp resources
 
@@ -128,6 +132,11 @@ $ bundle exec rake test:run_integration_tests
 $ bundle exec rake test:cleanup_integration_tests 
 ```
 
+## Further Reading
+
+* [Introduction to InSpec GCP](https://lollyrock.com/articles/inspec-cloud-gcp-setup/)
+* [InSpec GCP Deep Dive](https://blog.chef.io/2018/06/19/inspec-gcp-deep-dive/)
+
 ## FAQ 
 
 ### Failure running "inspec exec" on my GCP profile

docs/resources/google_compute_firewall.md

@@ -65,7 +65,7 @@ The following examples show how to use this InSpec audit resource.
       it { should allow_port_protocol("80", "tcp") }
     end
 
-### Test whether firewall rule allows ingress/egrees for specified tags 
+### Test whether firewall rule allows ingress/egress for specified tags 
 
     describe google_compute_firewall(project: 'chef-inspec-gcp', name: 'firewall-rule') do
       its('direction') { should eq "INGRESS" }

docs/resources/google_compute_zones.md

@@ -71,7 +71,7 @@ The following examples show how to use this InSpec audit resource.
 
 ## Filter Criteria
 
-This resource supports the following filter criteria:  `zone_id`; `zone_name` and `zone_status`. Anyy of these may be used with `where`, as a block or as a method.
+This resource supports the following filter criteria:  `zone_id`; `zone_name` and `zone_status`. Any of these may be used with `where`, as a block or as a method.
 
 ## Properties
 

docs/resources/google_container_clusters.md

@@ -0,0 +1,77 @@
+---
+title: About the google_container_clusters Resource
+platform: gcp
+---
+
+# google\_container\_clusters
+
+Use the `google_container_clusters` InSpec audit resource to test properties of all, or a filtered group of, GCP container clusters for a project in a particular `google_compute_zone`.
+
+<br>
+
+## Syntax
+
+A `google_container_clusters` resource block collects GCP clusters by project and zone, then tests that group.
+
+    describe google_container_clusters(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_container_cluster`.
+
+    google_container_clusters(project: 'chef-inspec-gcp', zone: 'europe-west2-a').cluster_names.each do |cluster_name|
+      describe google_container_cluster(project: 'chef-inspec-gcp',  cluster: cluster_name) do
+        it { should exist }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of clusters available for the project in a particular zone
+
+    describe google_container_clusters(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do
+      its('count') { should be <= 5}
+    end
+
+### Test that an expected cluster is available for the project
+
+    describe google_container_clusters(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do
+      its('cluster_names') { should include "my-cluster" }
+    end
+
+### Test whether any clusters are in status "STOPPED"
+
+    describe google_container_clusters(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do
+      its('cluster_statuses') { should_not include "STOPPED" }
+    end
+
+### Test that a subset of all clusters matching "kube*" are "RUNNING"
+
+    describe google_container_clusters(project: gcp_project_id).where(cluster_name: /^kube/).cluster_names.each do |cluster_name|
+      describe google_container_cluster(project: 'chef-inspec-gcp', zone: 'europe-west2-a', name: cluster_name) do
+        it { should exist }
+        its('status') { should eq 'RUNNING' }
+      end
+    end
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria: `cluster_name` and `cluster_status`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `cluster_names` - an array of google_container_cluster name strings
+*  `cluster_statuses`- an array of google_container_cluster status stringss
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com) is enabled for the project where the resource is located.

docs/resources/google_container_node_pools.md

@@ -0,0 +1,72 @@
+---
+title: About the google_container_node_pools Resource
+platform: gcp
+---
+
+# google\_container\_node_pools
+
+Use the `google_container_node_pools` InSpec audit resource to test properties of all, or a filtered group of, GCP container node_pools for a project, cluster and zone.
+
+<br>
+
+## Syntax
+
+A `google_container_node_pools` resource block collects GCP node pools by project, cluster and zone then tests that group.
+
+    describe google_container_node_pools(project: 'chef-inspec-gcp', zone: 'europe-west2-a', cluster_name: 'inspec-gcp-cluster') do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_container_node_pool`.
+
+    google_container_node_pools(project: 'chef-inspec-gcp', zone: 'europe-west2-a', cluster_name: 'inspec-gcp-cluster').node_pool_names.each do |node_pool_name|
+      describe google_container_node_pool(project: 'chef-inspec-gcp', zone: 'europe-west2-a', cluster_name: 'inspec-gcp-cluster', nodepool_name: node_pool_name) do
+        it { should exist }
+        its('status') { should eq 'RUNNING' }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of node pools available for the project
+
+    describe google_container_node_pools(project: 'chef-inspec-gcp') do
+      its('count') { should be <= 10}
+    end
+
+### Test that an expected node pool is available for the project
+
+    describe google_container_node_pools(project: 'chef-inspec-gcp') do
+      its('node_pool_names') { should include "us-east1-b" }
+    end
+
+### Test that a subset of all node pools matching "mypooll*" are "UP"
+
+    describe google_container_node_pools(project: 'chef-inspec-gcp', zone: 'europe-west2-a', cluster_name: 'inspec-gcp-cluster').where(node_pool_name: /^mypool/).node_pool_names.each do |node_pool_name|
+      describe google_container_node_pool(project: 'chef-inspec-gcp', zone: 'europe-west2-a', cluster_name: 'inspec-gcp-cluster', nodepool_name: node_pool_name) do
+        it { should exist }
+        its('status') { should eq 'RUNNING' }
+      end
+    end
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria: `node_pool_name` and `node_pool_status`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `node_pool_names` - an array of google_container_node_pool name strings
+*  `node_pool_statuses`- an array of google_container_node_pool status stringss
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Kubernetes Engine API](https://console.cloud.google.com/apis/library/container.googleapis.com) is enabled for the project where the resource is located.

docs/resources/google_projects.md

@@ -41,19 +41,19 @@ The following examples show how to use this InSpec audit resource.
 ### Test that an expected named project is available
 
     describe google_projects do
-      its('project_names'){ should include gcp_project_id }
+      its('project_names'){ should include "gcp_project_id" }
     end
 
 ### Test that an expected project number is available
 
     describe google_projects do
-      its('project_ids'){ should include gcp_project_name }
+      its('project_ids'){ should include "gcp_project_name" }
     end
 
 ### Test that an expected project id is available
 
     describe google_projects do
-      its('project_numbers'){ should include gcp_project_number }
+      its('project_numbers'){ should include 1122334455 }
     end    
 
 ### Test that a particular subset of projects with id 'prod*' are in ACTIVE lifecycle state

docs/resources/google_storage_bucket.md

@@ -48,7 +48,7 @@ The following examples show how to use this InSpec audit resource.
 
 *  `etag`, `id`, `kind`, `location`, `metageneration`, `name`, `project_number`, `storage_class`, `time_created`, `updated`
 
-s<br>
+<br>
 
 
 ## GCP Permissions

docs/resources/google_storage_buckets.md

@@ -0,0 +1,75 @@
+---
+title: About the google_storage_buckets Resource
+platform: gcp
+---
+
+# google\_storage\_bucket
+
+Use the `google_storage_buckets` InSpec audit resource to test properties of a GCP storage buckets.
+
+<br>
+
+## Syntax
+
+A `google_storage_buckets` resource block collects GCP buckets by project then tests that group.
+
+    describe google_storage_buckets(project: 'chef-inspec-gcp') do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_storage_bucket`.
+
+    google_storage_buckets(project: 'chef-inspec-gcp').bucket_names.each do |bucket_name|
+      describe google_storage_bucket(name: bucket_name) do
+        it { should exist }
+        its('storage_class') { should eq 'STANDARD' }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of storage buckets for the project
+
+    describe google_storage_buckets(project: 'chef-inspec-gcp') do
+      its('count') { should be <= 100}
+    end
+
+
+### Test that an expected named bucket is available
+
+    describe google_storage_buckets do
+      its('bucket_names'){ should include "my_expected_bucket" }
+    end
+
+### Test that all buckets belong to the expected project number
+
+    google_storage_buckets(project: 'chef-inspec-gcp').bucket_names.each do |bucket_name|
+      describe google_storage_bucket(name: bucket_name) do
+        it { should exist }
+        its('project_number'){ should eq 1122334455 }
+      end
+    end
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `bucket_id`; `bucket_name`; `bucket_project_number` and `bucket_location`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `bucket_ids` - an array of google_storage_bucket identifier strings
+*  `bucket_names` - an array of google_storage_bucket name strings
+*  `bucket_project_numbers`- an array of google_storage_bucket identifier integers
+*  `bucket_locations`- an array of google_storage_bucket location strings
+
+<br
+
+
+## GCP Permissions
+
+Ensure the [Google Cloud Storage API](https://console.cloud.google.com/apis/api/storage-component.googleapis.com/) is enabled.

libraries/google_container_cluster.rb

@@ -9,7 +9,7 @@ class GoogleContainerCluster < GcpResourceBase
     desc 'Verifies settings for a google container cluster'
 
     example "
-      describe google_container_cluster(project: 'chef-inspec-gcp', zone: 'gcp-inspec-test', name: 'cluster-name') do
+      describe google_container_cluster(project: 'chef-inspec-gcp', zone: 'europe-west2-a', name: 'cluster-name') do
         it { should exist }
         its('name') { should eq 'inspec-test' }
         its('status') { should eq 'in_use' }

libraries/google_container_clusters.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleContainerClusters < GcpResourceBase
+    name 'google_container_clusters'
+    desc 'Verifies settings for GCP container clusters in bulk'
+
+    example "
+      describe google_container_clusters(project: 'chef-inspec-gcp', zone: 'europe-west2-a') do
+        it { should exist }
+        ...
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @project = opts[:project]
+      @zone = opts[:zone]
+    end
+
+    # FilterTable setup
+    filter_table_config = FilterTable.create
+    filter_table_config.add(:cluster_names, field: :cluster_name)
+    filter_table_config.add(:cluster_statuses, field: :cluster_status)
+    filter_table_config.connect(self, :fetch_data)
+
+    def fetch_data
+      cluster_rows = []
+      catch_gcp_errors do
+        # below seemingly doesn't provide pagination
+        @clusters = @gcp.gcp_client(Google::Apis::ContainerV1::ContainerService).list_zone_clusters(@project, @zone)
+      end
+      return [] if !@clusters.clusters
+      @clusters.clusters.map do |cluster|
+        cluster_rows+=[{ cluster_name: cluster.name,
+                         cluster_status: cluster.status }]
+      end
+      @table = cluster_rows
+    end
+  end
+end

libraries/google_container_node_pool.rb

@@ -9,10 +9,9 @@ class GoogleContainerNodePool < GcpResourceBase
     desc 'Verifies settings for a container nodepool'
 
     example "
-      describe google_container_node_pool(project: 'chef-inspec-gcp', zone: 'gcp-inspec-test', cluster_name: 'cluster-name', nodepool_name: 'nodepool_name') do
+      describe google_container_node_pool(project: 'chef-inspec-gcp', zone: 'europe-west2-a', cluster_name: 'cluster-name', nodepool_name: 'inspec-test') do
         it { should exist }
         its('name') { should eq 'inspec-test' }
-        its('status') { should eq 'in_use' }
         ...
       end
     "