Added google_sql_users resource and updates to sql instances.

Signed-off-by: Stuart Paterson <spaterson@chef.io>
modular-magician · Sep 7, 2018 · b759f9e · b759f9e
1 parent fb9086c
commit b759f9e
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 2 deletions.
diff --git a/docs/resources/google_sql_database_instances.md b/docs/resources/google_sql_database_instances.md
@@ -86,4 +86,4 @@ This resource supports the following filter criteria:  `instance_name`; `instanc
 
 ## GCP Permissions
 
-Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
+Ensure the [Cloud SQL API](https://console.cloud.google.com/projectselector/apis/api/sqladmin.googleapis.com/overview) is enabled for the project.
diff --git a/docs/resources/google_sql_users.md b/docs/resources/google_sql_users.md
@@ -0,0 +1,69 @@
+---
+title: About the google_sql_users Resource
+platform: gcp
+---
+
+# google\_sql\_users
+
+Use the `google_sql_users` InSpec audit resource to test properties of all, or a filtered group of, GCP sql users for a project database instance.
+
+<br>
+
+## Syntax
+
+A `google_sql_users` resource block collects GCP users by project then tests that group.
+
+    describe google_sql_users(project: 'chef-inspec-gcp', database: 'database-instance') do
+      it { should exist }
+    end
+
+<br>
+
+## Examples
+
+The following examples show how to use this InSpec audit resource.
+
+### Test that there are no more than a specified number of users available for the project
+
+    describe google_sql_users(project: 'chef-inspec-gcp', database: 'database-instance') do
+      its('count') { should be <= 100}
+    end
+
+### Test that an expected user is available for the project
+
+    describe google_sql_users(project: 'chef-inspec-gcp') do
+      its('user_names') { should include "us-east1-b" }
+    end
+
+### Test whether any users are in status "DOWN"
+
+    describe google_sql_users(project: 'chef-inspec-gcp') do
+      its('user_statuses') { should_not include "DOWN" }
+    end
+
+### Test users exist for all database instances in a project
+
+    google_sql_database_instances(project: 'chef-inspec-gcp').instance_names.each do |instance_name|
+      describe google_sql_users(project: 'chef-inspec-gcp', database: instance_name) do
+        it { should exist }
+      end
+    end
+
+<br>
+
+## Filter Criteria
+
+This resource supports the following filter criteria:  `user_id`; `user_name` and `user_status`. Any of these may be used with `where`, as a block or as a method.
+
+## Properties
+
+*  `user_namess` - an array of google sql user name strings
+*  `user_instances`- an array of google_sql_database_instance name strings
+*  `user_hosts`- an array of google sql user host strings
+
+<br>
+
+
+## GCP Permissions
+
+Ensure the [Cloud SQL API](https://console.cloud.google.com/projectselector/apis/api/sqladmin.googleapis.com/overview) is enabled for the project.
diff --git a/libraries/google_sql_database_instances.rb b/libraries/google_sql_database_instances.rb
@@ -16,7 +16,6 @@ class GoogleCloudSqlDatabaseInstances < GcpResourceBase
     def initialize(opts = {})
       # Call the parent class constructor
       super(opts)
-      @project = opts[:project]
     end
 
     # FilterTable setup

diff --git a/libraries/google_sql_users.rb b/libraries/google_sql_users.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'gcp_backend'
+
+module Inspec::Resources
+  class GoogleCloudSqlUsers < GcpResourceBase
+    name 'google_sql_users'
+    desc 'Verifies settings for GCP Cloud SQL Database users in bulk'
+
+    example "
+      describe google_sql_users(project: 'chef-inspec-gcp', database: 'database') do
+        it { should exist }
+      end
+    "
+
+    def initialize(opts = {})
+      # Call the parent class constructor
+      super(opts)
+    end
+
+    # FilterTable setup
+    filter_table_config = FilterTable.create
+    filter_table_config.add(:user_names, field: :user_name)
+    filter_table_config.add(:user_hosts, field: :user_host)
+    filter_table_config.add(:user_instances, field: :user_instance)
+    filter_table_config.connect(self, :fetch_data)
+
+    def fetch_data
+      user_rows = []
+      catch_gcp_errors do
+        @users = @gcp.gcp_client(Google::Apis::SqladminV1beta4::SQLAdminService).list_users(opts[:project], opts[:database])
+      end
+      return [] if !@users || !@users.items
+      @users.items.map do |user|
+        user_rows+=[{ user_name: user.name,
+                      user_host: user.host,
+                      user_instance: user.instance }]
+      end
+      @users = user_rows
+    end
+  end
+end
diff --git a/test/integration/verify/controls/google_sql_users.rb b/test/integration/verify/controls/google_sql_users.rb
@@ -0,0 +1,16 @@
+title 'Test GCP Cloud SQL Database users'
+
+gcp_project_id = attribute(:gcp_project_id, default: '', description: 'The GCP project identifier.')
+gcp_db_instance_name = attribute(:gcp_db_instance_name, default: '', description: 'The GCP DB instance name.')
+
+control 'gcp-db-users-1.0' do
+
+  impact 1.0
+  title 'Ensure GCP Cloud SQL Database users have the correct properties.'
+
+  describe google_sql_users(project: gcp_project_id,  database: gcp_db_instance_name) do
+    it { should exist }
+    its('count') { should be <= 100}
+    its('user_instances') { should include gcp_db_instance_name }
+  end
+end
Original file line number	Diff line number	Diff line change
Expand Up		@@ -86,4 +86,4 @@ This resource supports the following filter criteria: `instance_name`; `instanc

		## GCP Permissions

		Ensure the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com/) is enabled for the project where the resource is located.
		Ensure the [Cloud SQL API](https://console.cloud.google.com/projectselector/apis/api/sqladmin.googleapis.com/overview) is enabled for the project.