Added google_compute_network(s) and google_compute_subnetwork(s) reso…

…urces. - Includes docs, tests, tf updates etc. - README now includes above resources - Remove unnecessary lines google_compute_zones Signed-off-by: Stuart Paterson <spaterson@chef.io>
modular-magician · Aug 23, 2018 · b1c9ae1 · b1c9ae1
1 parent 62246de
commit b1c9ae1
Show file tree

Hide file tree

Showing 8 changed files with 286 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -76,7 +76,9 @@ The following resources are available in the InSpec GCP Profile
 - [google_compute_instance_groups](docs/resources/google_compute_instance_groups.md)
 - [google_compute_instances](docs/resources/google_compute_instances.md)
 - [google_compute_network](docs/resources/google_compute_network.md)
+- [google_compute_networks](docs/resources/google_compute_networks.md)
 - [google_compute_subnetwork](docs/resources/google_compute_subnetwork.md)
+- [google_compute_subnetworks](docs/resources/google_compute_subnetworks.md)
 - [google_compute_zone](docs/resources/google_compute_zone.md)
 - [google_compute_zones](docs/resources/google_compute_zones.md)
 - [google_container_cluster](docs/resources/google_container_cluster.md)

diff --git a/docs/resources/google_compute_networks.md b/docs/resources/google_compute_networks.md
@@ -0,0 +1,72 @@
+---
+title: About the google_compute_networks Resource
+platform: gcp
+---
+
+# google\_compute\_networks
+
+Use the `google_compute_networks` InSpec audit resource to test properties of all, or a filtered group of, GCP compute networks for a project.
+
+<br>
+
+## Syntax
+
+A `google_compute_networks` resource block collects GCP networks by project then tests that group.
+
+    describe google_compute_networks(project: 'chef-inspec-gcp') do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_network`.
+
+    google_compute_networks(project: 'chef-inspec-gcp').network_names.each do |network_name|
+      describe google_compute_network(project: 'chef-inspec-gcp',  name: network_name) do
+        its ('subnetworks.count') { should be < 10 }
+        its ('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+        its ('routing_config.routing_mode') { should eq "REGIONAL" }
+        its ('auto_create_subnetworks'){ should be false }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of networks available for the project
+
+    describe google_compute_networks(project: 'chef-inspec-gcp') do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected network identifier is present in the project 
+
+    describe google_compute_networks(project: 'chef-inspec-gcp') do
+      its('network_ids') { should include 12345678975432 }
+    end
+
+### Test that an expected network name is available for the project
+
+    describe google_compute_networks(project: 'chef-inspec-gcp') do
+      its('network_names') { should include "network-name" }
+    end
+
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `network_id` and `network_name`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `network_ids` - an array of google_compute_network identifier integers
+*  `network_names` - an array of google_compute_network name strings
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
diff --git a/docs/resources/google_compute_subnetworks.md b/docs/resources/google_compute_subnetworks.md
@@ -0,0 +1,80 @@
+---
+title: About the google_compute_subnetworks Resource
+platform: gcp
+---
+
+# google\_compute\_subnetworks
+
+Use the `google_compute_subnetworks` InSpec audit resource to test properties of all, or a filtered group of, GCP compute subnetworks for a project and region.
+
+<br>
+
+## Syntax
+
+A `google_compute_subnetworks` resource block collects GCP subnetworks by project and region, then tests that group.
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      it { should exist }
+    end
+
+Use this InSpec resource to enumerate IDs then test in-depth using `google_compute_subnetwork`.
+
+    google_compute_subnetworks(project: 'chef-inspec-gcp', region:'europe-west2').subnetwork_names.each do |subnetwork_name|
+      describe google_compute_subnetwork(project: 'chef-inspec-gcp', region: 'europe-west2', name: name: subnetwork_name) do
+        its('creation_timestamp_date') { should be > Time.now - 365*60*60*24*10 }
+        its('ip_cidr_range') { should eq "10.2.0.0/29" }
+        its('network') { should match "gcp_network_name" }
+        its('private_ip_google_access') { should be false }
+      end
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of subnetworks available for the project and region
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected subnetwork identifier is present in the project and region
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('subnetwork_ids') { should include 12345678975432 }
+    end
+
+
+### Test that an expected subnetwork name is available for the project and region
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('subnetwork_names') { should include "subnetwork-name" }
+    end
+
+### Test that an expected subnetwork network name is not present for the project and region
+
+    describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+      its('subnetwork_networks') { should not include "network-name" }
+    end
+
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `subnetwork_id`; `subnetwork_name` and `subnetwork_network`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `subnetwork_ids` - an array of google_compute_subnetwork identifier integers
+*  `subnetwork_names` - an array of google_compute_subnetwork name strings
+*  `subnetwork_networks` - an array of google_compute_network name strings
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
diff --git a/libraries/google_compute_networks.rb b/libraries/google_compute_networks.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleComputeNetworks < GcpResourceBase
+    name 'google_compute_networks'
+    desc 'Verifies settings for GCP compute networks in bulk'
+
+    example "
+      describe google_compute_networks(project: 'chef-inspec-gcp') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @project = opts[:project]
+    end
+
+    # FilterTable setup
+    filter_table_config = FilterTable.create
+    filter_table_config.add(:network_ids, field: :network_id)
+    filter_table_config.add(:network_names, field: :network_name)
+    filter_table_config.connect(self, :fetch_data)
+
+    def fetch_data
+      network_rows = []
+      next_page = nil
+      loop do
+        catch_gcp_errors do
+          @networks = @gcp.gcp_compute_client.list_networks(@project, page_token: next_page)
+        end
+        return [] if !@networks || !@networks.items
+        @networks.items.map do |network|
+          network_rows+=[{ network_id: network.id,
+                           network_name: network.name }]
+        end
+        next_page = @networks.next_page_token
+        break unless next_page
+      end
+      @table = network_rows
+    end
+  end
+end
diff --git a/libraries/google_compute_subnetworks.rb b/libraries/google_compute_subnetworks.rb
@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleComputeSubnetworks < GcpResourceBase
+    name 'google_compute_subnetworks'
+    desc 'Verifies settings for GCP compute subnetworks in bulk'
+
+    example "
+      describe google_compute_subnetworks(project: 'chef-inspec-gcp', region: 'europe-west2') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+      @project = opts[:project]
+      @region = opts[:region]
+    end
+
+    # FilterTable setup
+    filter_table_config = FilterTable.create
+    filter_table_config.add(:subnetwork_ids, field: :subnetwork_id)
+    filter_table_config.add(:subnetwork_names, field: :subnetwork_name)
+    filter_table_config.add(:subnetwork_networks, field: :subnetwork_network)
+    filter_table_config.connect(self, :fetch_data)
+
+    def fetch_data
+      subnetwork_rows = []
+      next_page = nil
+      loop do
+        catch_gcp_errors do
+          @subnetworks = @gcp.gcp_compute_client.list_subnetworks(@project, @region, page_token: next_page)
+        end
+        return [] if !@subnetworks || !@subnetworks.items
+        @subnetworks.items.map do |subnetwork|
+          subnetwork_rows+=[{ subnetwork_id: subnetwork.id,
+                              subnetwork_name: subnetwork.name,
+                              subnetwork_network: subnetwork.network.split('/').last }]
+        end
+        next_page = @subnetworks.next_page_token
+        break unless next_page
+      end
+      @table = subnetwork_rows
+    end
+  end
+end
diff --git a/libraries/google_compute_zones.rb b/libraries/google_compute_zones.rb
@@ -10,14 +10,12 @@ class GoogleComputeZones < GcpResourceBase
     example "
       describe google_compute_zones(project: 'chef-inspec-gcp') do
         it { should exist }
-        ...
       end
     "
 
     def initialize(opts = {})
       # Call the parent class constructor
       super(opts)
-      @display_name = opts[:name]
       @project = opts[:project]
     end
 

diff --git a/test/integration/verify/controls/google_compute_networks.rb b/test/integration/verify/controls/google_compute_networks.rb
@@ -0,0 +1,17 @@
+title 'Zones Properties'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_network_name = attribute(:gcp_network_name, default: '', description: 'The GCP network name.')
+
+control 'gcp-networks-1.0' do
+
+  impact 1.0
+  title 'Ensure zones have the correct properties in bulk'
+
+  describe google_compute_networks(project: gcp_project_id) do
+    it { should exist }
+    its('count') { should be <= 100}
+    its('network_names') { should include gcp_network_name }
+  end
+
+end
diff --git a/test/integration/verify/controls/google_compute_subnetworks.rb b/test/integration/verify/controls/google_compute_subnetworks.rb
@@ -0,0 +1,20 @@
+title 'Subnetworks Properties'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_network_name = attribute(:gcp_network_name, default: '', description: 'The GCP network name.')
+gcp_region = attribute(:gcp_location, default: '', description: 'The GCP region being used.')
+gcp_subnetwork_name = attribute(:gcp_subnetwork_name, default: '', description: 'The GCP subnetwork name.')
+
+control 'gcp-subnetworks-1.0' do
+
+  impact 1.0
+  title 'Ensure subnetworks have the correct properties in bulk'
+
+  describe google_compute_subnetworks(project: gcp_project_id, region: gcp_region) do
+    it { should exist }
+    its('count') { should be <= 100}
+    its('subnetwork_names') { should include gcp_subnetwork_name }
+    its('subnetwork_networks') { should include gcp_network_name }
+  end
+
+end