Add google_projects resource with docs, tests etc.

Include extra filtering by name example in google_compute_zones.

Signed-off-by: Stuart Paterson <spaterson@chef.io>

docs/resources/google_compute_zones.md

@@ -57,6 +57,16 @@ The following examples show how to use this InSpec audit resource.
       its('zone_statuses') { should_not include "DOWN" }
     end
 
+### Test that a subset of all zones matching "us*" are "UP"
+
+    describe google_compute_zones(project: gcp_project_id).where(zone_name: /^us/).zone_names.each do |zone_name|
+      describe google_compute_zone(project: 'chef-inspec-gcp',  zone: zone_name) do
+        it { should exist }
+        its('kind') { should eq "compute#zone" }
+        its('status') { should eq 'UP' }
+      end
+    end
+
 <br>
 
 ## Filter Criteria

docs/resources/google_projects.md

@@ -0,0 +1,85 @@
+---
+title: About the google_projects Resource
+platform: gcp
+---
+
+# google\_projects
+
+Use the `google_projects` InSpec audit resource to test properties of all, or a filtered group of, GCP projects in a particular organisation.
+
+<br>
+
+## Syntax
+
+A `google_projects` resource block collects GCP projects then tests that group.
+
+    describe google_projects do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_project`.
+
+    google_projects.project_names.each do |project_name|
+      describe google_project(project: project_name) do
+        it { should exist }
+        its('lifecycle_state') { should eq "ACTIVE" }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of projects available for the project
+
+    describe google_projects do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected named project is available
+
+    describe google_projects do
+      its('project_names'){ should include gcp_project_id }
+    end
+
+### Test that an expected project number is available
+
+    describe google_projects do
+      its('project_ids'){ should include gcp_project_name }
+    end
+
+### Test that an expected project id is available
+
+    describe google_projects do
+      its('project_numbers'){ should include gcp_project_number }
+    end    
+
+### Test that a particular subset of projects with id 'prod*' are in ACTIVE lifecycle state
+
+    describe google_projects.where(project_id: /^prod/).project_ids.each do |gcp_project_id|
+      describe google_project(project: gcp_project_id) do
+        it { should exist }
+        its('lifecycle_state') { should eq "ACTIVE" }
+      end
+    end
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `project_id`; `project_name` and `project_number`. Anyy of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `project_ids` - an array of google_compute_project identifier strings
+*  `project_names` - an array of google_compute_project name strings
+*  `project_numbers`- an array of google_compute_project number identifier integers
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com/) is enabled for the project.

libraries/google_projects.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleComputeProjects < GcpResourceBase
+    name 'google_projects'
+    desc 'Verifies settings for GCP compute projects in bulk'
+
+    example "
+      describe google_compute_projects do
+        it { should exist }
+        ...
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @display_name = opts[:name]
+    end
+
+    # FilterTable setup
+    filter_table_config = FilterTable.create
+    filter_table_config.add(:project_ids, field: :project_id)
+    filter_table_config.add(:project_names, field: :project_name)
+    filter_table_config.add(:project_numbers, field: :project_number)
+    filter_table_config.connect(self, :fetch_data)
+
+    def fetch_data
+      project_rows = []
+      next_page = nil
+      loop do
+        catch_gcp_errors do
+          @projects = @gcp.gcp_project_client.list_projects(page_token: next_page)
+        end
+        return [] if !@projects.projects
+        @projects.projects.map do |project|
+          project_rows+=[{ project_id: project.project_id,
+                      project_name: project.name,
+                      project_number: project.project_number }]
+        end
+        next_page = @projects.next_page_token
+        break unless next_page
+      end
+      @table = project_rows
+    end
+  end
+end

test/integration/verify/controls/google_projects.rb

@@ -0,0 +1,20 @@
+title 'Loop over all GCP Projects'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_project_name = attribute(:gcp_project_name, default: '', description: 'The GCP project name.')
+gcp_project_number = attribute(:gcp_project_number, default: '', description: 'The GCP project number.')
+gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources,default:0,description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
+
+control 'gcp-projects-loop-1.0' do
+
+  only_if { gcp_enable_privileged_resources.to_i == 1 }
+  impact 1.0
+  title 'Ensure projects have the correct properties in bulk.'
+
+  describe google_projects do
+    it { should exist }
+    its('project_names'){ should include gcp_project_name }
+    its('project_ids'){ should include gcp_project_id }
+    its('project_numbers'){ should include gcp_project_number.to_i }
+  end
+end