From 46dabdcb1f30f555816fe8ec48fc1b35e0087bc4 Mon Sep 17 00:00:00 2001 From: Sam Levenick Date: Mon, 4 May 2020 16:59:55 -0700 Subject: [PATCH] Add test for key types, fix service account keys resource (#3452) --- products/iam/api.yaml | 1 + .../google_service_account_key.erb | 2 +- .../google_service_account_keys.erb | 1 + templates/inspec/tests/integration/build/gcp-mm.tf | 5 +++++ 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/products/iam/api.yaml b/products/iam/api.yaml index dd634970b3cc..9a7b00df287b 100644 --- a/products/iam/api.yaml +++ b/products/iam/api.yaml @@ -97,6 +97,7 @@ objects: - !ruby/object:Api::Resource name: 'ServiceAccountKey' base_url: projects/{{project}}/serviceAccounts/{{service_account}}/keys + collection_url_key: 'keys' description: | A service account in the Identity and Access Management API. parameters: diff --git a/templates/inspec/examples/google_service_account_key/google_service_account_key.erb b/templates/inspec/examples/google_service_account_key/google_service_account_key.erb index 883fe7fd1eae..7452ea9def4e 100644 --- a/templates/inspec/examples/google_service_account_key/google_service_account_key.erb +++ b/templates/inspec/examples/google_service_account_key/google_service_account_key.erb @@ -1,7 +1,7 @@ <% gcp_project_id = "#{external_attribute('gcp_project_id', doc_generation)}" -%> <% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%> google_service_account_keys(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com").key_names.each do |sa_key_name| - describe google_service_account_key(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com", name: sa_key_name) do + describe google_service_account_key(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com", name: sa_key_name.split('/').last) do it { should exist } its('key_type') { should_not cmp 'USER_MANAGED' } end diff --git a/templates/inspec/examples/google_service_account_key/google_service_account_keys.erb b/templates/inspec/examples/google_service_account_key/google_service_account_keys.erb index 363d7a6056f0..4e957a975e01 100644 --- a/templates/inspec/examples/google_service_account_key/google_service_account_keys.erb +++ b/templates/inspec/examples/google_service_account_key/google_service_account_keys.erb @@ -2,4 +2,5 @@ <% gcp_service_account_display_name = "#{external_attribute('gcp_service_account_display_name', doc_generation)}" -%> describe google_service_account_keys(project: <%= gcp_project_id -%>, service_account: "<%= doc_generation ? "display-name" : "\#{gcp_service_account_display_name}" -%>@<%= doc_generation ? "project-id" : "\#{gcp_project_id}" -%>.iam.gserviceaccount.com") do its('count') { should be <= 1000 } + its('key_types') { should_not include 'USER_MANAGED' } end \ No newline at end of file diff --git a/templates/inspec/tests/integration/build/gcp-mm.tf b/templates/inspec/tests/integration/build/gcp-mm.tf index 6e01cfc6623e..e77ee9d0d7cd 100644 --- a/templates/inspec/tests/integration/build/gcp-mm.tf +++ b/templates/inspec/tests/integration/build/gcp-mm.tf @@ -910,6 +910,11 @@ resource "google_service_account" "spanner_service_account" { display_name = "${var.gcp_service_account_display_name}-sp" } +resource "google_service_account_key" "userkey" { + service_account_id = google_service_account.spanner_service_account.name + public_key_type = "TYPE_X509_PEM_FILE" +} + resource "google_spanner_instance" "spanner_instance" { project = var.gcp_project_id config = var.spannerinstance["config"]