Add integration tests, attributes (#687)

Merged PR #687.

.ci/acceptance-tests/inspec-integration.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+set -e
+set -x
+
+function cleanup {
+	cd $TF_PATH
+	./terraform destroy -auto-approve
+}
+
+# Service account credentials for GCP to allow terraform to work
+export GOOGLE_CLOUD_KEYFILE_JSON="/tmp/google-account.json"
+# Setup GOPATH
+export GOPATH=${PWD}/go
+
+# CI sets the contents of our json account secret in our environment; dump it
+# to disk for use in tests.
+echo "${TERRAFORM_KEY}" > /tmp/google-account.json
+
+git clone https://github.com/slevenick/inspec-gcp.git
+
+# new train plugin not published yet, install locally for now
+pushd inspec-gcp
+bundle
+inspec plugin install train-gcp2/lib/train-gcp2.rb
+
+popd
+
+pushd inspec-gcp/test/integration
+
+# Generate tfvars
+pushd attributes
+ruby compile_vars.rb > terraform.tfvars
+mv terraform.tfvars ../terraform
+popd
+
+# Run terraform
+pushd terraform
+wget https://releases.hashicorp.com/terraform/0.11.10/terraform_0.11.10_linux_amd64.zip
+apt-get install unzip
+unzip terraform_0.11.10_linux_amd64.zip
+./terraform init
+./terraform plan
+
+export TF_PATH=${PWD}
+trap cleanup EXIT
+./terraform apply -auto-approve
+export GOOGLE_APPLICATION_CREDENTIALS="${PWD}/inspec.json"
+inspec detect -t gcp2://
+popd
+
+# Copy inspec resources
+pushd inspec-mm
+cp -r ../../../libraries libraries
+popd
+
+# Run inspec
+bundle
+
+# Service accounts take several minutes to be authorized everywhere
+set +e
+
+for i in {1..50}
+do
+	inspec exec inspec-mm --attrs=attributes/attributes.yaml -t gcp2://
+	if [ "$?" -eq "0" ]; then
+		exit 0
+	fi
+done
+set -e
+
+popd
+exit 100

.ci/acceptance-tests/inspec-integration.yml

@@ -0,0 +1,13 @@
+platform: linux
+
+inputs:
+  - name: magic-modules-new-prs
+
+image_resource:
+    type: docker-image
+    source:
+        repository: nmckinley/go-ruby-python
+        tag: '1.11-2.5.1-2.7'
+
+run:
+    path: magic-modules-new-prs/.ci/acceptance-tests/inspec-integration.sh

.ci/ci.yml.tmpl

@@ -377,3 +377,10 @@ jobs:
                 merge:
                     method: squash
                     commit_msg: mm-output/commit_message
+    - name: inspec-integration-test
+      plan:
+        - get: magic-modules-new-prs
+        - task: inspec-integration
+          file: magic-modules-new-prs/.ci/acceptance-tests/inspec-integration.yml
+          params:
+            TERRAFORM_KEY: ((terraform-key))

products/compute/inspec.yaml

@@ -50,7 +50,7 @@ overrides: !ruby/object:Provider::ResourceOverrides
   HttpsHealthCheck: !ruby/object:Provider::Inspec::ResourceOverride
     exclude: true
   Image: !ruby/object:Provider::Inspec::ResourceOverride
-    exclude: true
+    exclude: false
   InstanceGroup: !ruby/object:Provider::Inspec::ResourceOverride
     exclude: true
   InstanceGroupManager: !ruby/object:Provider::Inspec::ResourceOverride
@@ -64,9 +64,9 @@ overrides: !ruby/object:Provider::ResourceOverrides
   MachineType: !ruby/object:Provider::Inspec::ResourceOverride
     exclude: true
   Network: !ruby/object:Provider::Inspec::ResourceOverride
-    exclude: true
+    exclude: false
   Region: !ruby/object:Provider::Inspec::ResourceOverride
-    exclude: true
+    exclude: false
   RegionAutoscaler: !ruby/object:Provider::Inspec::ResourceOverride
     exclude: true
   RegionDisk: !ruby/object:Provider::Inspec::ResourceOverride
@@ -84,7 +84,7 @@ overrides: !ruby/object:Provider::ResourceOverrides
   SslPolicy: !ruby/object:Provider::Inspec::ResourceOverride
     exclude: true
   Subnetwork: !ruby/object:Provider::Inspec::ResourceOverride
-    exclude: true
+    exclude: false
   TargetHttpProxy: !ruby/object:Provider::Inspec::ResourceOverride
     exclude: true
   TargetHttpsProxy: !ruby/object:Provider::Inspec::ResourceOverride

provider/inspec.rb

@@ -74,9 +74,9 @@ def format_url(url)
       url.split("\n").join('')
     end
 
-    # Copies InSpec unit tests to build folder
+    # Copies InSpec tests to build folder
     def generate_resource_tests(data)
-      target_folder = File.join(data[:output_folder], 'test/unit')
+      target_folder = File.join(data[:output_folder], 'test')
       FileUtils.mkpath target_folder
       FileUtils.cp_r 'templates/inspec/tests/.', target_folder
     end

templates/inspec/tests/integration/attributes/attributes.yaml

@@ -0,0 +1,24 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+project_name: 'graphite-test-sam-chef'
+region: 'us-west1'
+zone: 'us-west1-a'
+
+network:
+  name: 'inspec-gcp-network'
+  routing_mode: 'REGIONAL'
+
+subnetwork:
+  name: 'inspec-gcp-subnetwork'
+  ip_range: '10.2.0.0/29'

templates/inspec/tests/integration/attributes/compile_vars.rb

@@ -0,0 +1,19 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'erb'
+require 'yaml'
+
+loaded = YAML.load_file('attributes.yaml')
+template = ERB.new(File.read('terraform.tfvars.erb'))
+puts template.result_with_hash(loaded)

templates/inspec/tests/integration/attributes/terraform.tfvars.erb

@@ -0,0 +1,27 @@
+<%# The license inside this block applies to this file.
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+-%>
+project_name = "<%= project_name %>"
+region = "<%= region %>"
+zone = "<%= zone %>"
+
+network = {
+  name = "<%= network['name'] %>"
+  routing_mode = "<%= network['routing_mode'] %>"
+}
+
+subnetwork = {
+  name = "<%= subnetwork['name'] %>"
+  ip_range = "<%= subnetwork['ip_range'] %>"
+}

templates/inspec/tests/integration/inspec-mm/controls/google_compute_network.rb

@@ -0,0 +1,39 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+title 'Test single GCP compute network'
+
+control 'gcp-compute-network-1.0' do
+
+  impact 1.0
+  title 'Ensure GCP compute network has the correct properties.'
+  resource = google_compute_network({project: attribute('project_name'), name: attribute('network')['name']})
+  describe resource do
+    it { should exist }
+
+    its ('subnetworks.count') { should eq 1 }
+    its ('creation_timestamp') { should be > (Time.now - 365*60*60*24*1).to_datetime }
+    its ('routing_config.routing_mode') { should eq "REGIONAL" }
+    its ('auto_create_subnetworks'){ should be false }
+  end
+
+  subnetwork_name = attribute('subnetwork')['name']
+  describe.one do
+    resource.subnetworks.each do |subnetwork|
+      describe subnetwork do
+        # using attribute within this block seems to cause InSpec issues.
+        it { should match '/' + subnetwork_name + '$' }
+      end
+    end
+  end
+end

templates/inspec/tests/integration/inspec-mm/controls/google_compute_networks.rb

@@ -0,0 +1,29 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+title 'Test GCP plural compute networks'
+
+control 'gcp-compute-networks-1.0' do
+
+  impact 1.0
+  title 'GCP compute networks plural.'
+
+  describe google_compute_networks(project: attribute('project_name')) do
+    it { should exist }
+
+    its ('names.size') { should eq 2 }
+    its ('names') { should include 'gcp-inspec-network' }
+    its ('names') { should include 'default' }
+
+  end
+end

templates/inspec/tests/integration/inspec-mm/controls/google_compute_region.rb

@@ -0,0 +1,22 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+title 'GCP single region test'
+
+control 'gcp-region-1.0' do
+  impact 1.0
+  title 'GCP region resource test'
+  describe google_compute_region(project: attribute('project_name'), name: attribute('region')) do
+    it { should exist }
+  end
+end

templates/inspec/tests/integration/inspec-mm/controls/google_compute_regions.rb

@@ -0,0 +1,24 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+title 'Test GCP regions plural resource.'
+
+control 'gcp-regions-1.0' do
+  impact 1.0
+  title 'GCP Region plural test'
+  describe google_compute_regions(project: attribute('project_name')) do
+    it { should exist }
+    its('names') { should include 'us-west1' }
+    its('names') { should include 'us-east4' }
+  end
+end

templates/inspec/tests/integration/inspec-mm/controls/google_compute_subnetwork.rb

@@ -0,0 +1,28 @@
+# Copyright 2017 Google Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+title 'Test Google compute subnetwork resource'
+
+control 'gcp-compute-subnetwork-1.0' do
+
+  impact 1.0
+  title 'Ensure GCP compute subnetwork resource works.'
+  describe google_compute_subnetwork({project: attribute('project_name'), region: attribute('region'), name: attribute('subnetwork')['name']}) do
+    it { should exist }
+    its('region') { should match attribute('region') }
+    its('creation_timestamp') { should be > (Time.now - 365*60*60*24*1).to_datetime }
+    its('ip_cidr_range') { should eq attribute('subnetwork')['ip_range'] }
+    its('network') { should match attribute('network')['name'] }
+    its('private_ip_google_access') { should be false }
+  end
+end