Add test for key types, fix service account keys resource (GoogleClou…

…dPlatform#3452)
nathkn · May 18, 2020 · 46dabdc · 46dabdc
1 parent c4ff65c
commit 46dabdc
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 1 deletion.
diff --git a/products/iam/api.yaml b/products/iam/api.yaml
@@ -97,6 +97,7 @@ objects:
   - !ruby/object:Api::Resource
     name: 'ServiceAccountKey'
     base_url: projects/{{project}}/serviceAccounts/{{service_account}}/keys
+    collection_url_key: 'keys'
     description: |
       A service account in the Identity and Access Management API.
     parameters:

diff --git a/templates/inspec/examples/google_service_account_key/google_service_account_key.erb b/templates/inspec/examples/google_service_account_key/google_service_account_key.erb
@@ -1,7 +1,7 @@
 <% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%>
 <% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%>
 google_service_account_keys(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com").key_names.each do |sa_key_name|
-	describe google_service_account_key(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com", name: sa_key_name) do
+	describe google_service_account_key(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com", name: sa_key_name.split('/').last) do
 		it { should exist }
 		its('key_type') { should_not cmp 'USER_MANAGED' }
 	end

diff --git a/templates/inspec/examples/google_service_account_key/google_service_account_keys.erb b/templates/inspec/examples/google_service_account_key/google_service_account_keys.erb
@@ -2,4 +2,5 @@
 <% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%>
 describe google_service_account_keys(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com") do
   its('count') { should be <= 1000 }
+  its('key_types') { should_not include 'USER_MANAGED' }
 end
diff --git a/templates/inspec/tests/integration/build/gcp-mm.tf b/templates/inspec/tests/integration/build/gcp-mm.tf
@@ -910,6 +910,11 @@ resource "google_service_account" "spanner_service_account" {
   display_name = "${var.gcp_service_account_display_name}-sp"
 }
 
+resource "google_service_account_key" "userkey" {
+  service_account_id = google_service_account.spanner_service_account.name
+  public_key_type    = "TYPE_X509_PEM_FILE"
+}
+
 resource "google_spanner_instance" "spanner_instance" {
   project      = var.gcp_project_id
   config       = var.spannerinstance["config"]