Add support for privileged resources. This allows lack of a flag to s…

…kip the test

overrides/inspec/resource_override.rb

@@ -23,6 +23,7 @@ def self.attributes
           manual
           additional_functions
           product_url
+          privileged
         ]
       end
 
@@ -33,6 +34,7 @@ def validate
         super
         check :additional_functions, type: String
         check :product_url, type: String
+        check :privileged, type: :boolean, default: false
       end
     end
   end

products/resourcemanager/inspec.yaml

@@ -23,6 +23,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     exclude: true
   Folder: !ruby/object:Overrides::Inspec::ResourceOverride
     product_url: https://cloudresourcemanager.googleapis.com/v2/
+    privileged: true
 files: !ruby/object:Provider::Config::Files
   copy:
     'Gemfile': 'provider/inspec/Gemfile'

provider/inspec.rb

@@ -125,6 +125,7 @@ def generate_inspec_test(data, name, target_folder, attribute_file_name)
         attribute_file_name: attribute_file_name,
         doc_generation: false,
         default_template: 'templates/inspec/integration_test_template.erb',
+        privileged: data[:object].privileged,
         out_file: File.join(
           target_folder,
           'integration/verify/controls',

templates/inspec/examples/attributes/external_attributes.yml

@@ -6,4 +6,5 @@ gcp_compute_disk_type: 'pd-standard'
 gcp_lb_mig1_name: 'gcp-managed-group-name'
 gcp_ext_vm_name: 'gcp_ext_vm_name'
 gcp_location: europe-west2
-gcp_network_name: gcp-inspec-network
+gcp_network_name: gcp-inspec-network
+gcp_organization_id: 190694428152

templates/inspec/examples/google_resourcemanager_folder/google_resourcemanager_folder.erb

@@ -1,6 +1,6 @@
 <% folder = grab_attributes['folder'] -%>
 describe.one do
-  google_resourcemanager_folders(parent: <%= doc_generation ? "'organizations/12345'" : "\"organizations/\#{organization['id']}\"" -%>).names.each do |name|
+  google_resourcemanager_folders(parent: <%= doc_generation ? "'organizations/12345'" : "\"organizations/\#{gcp_organization_id}\"" -%>).names.each do |name|
     # names come back in the format 'folders/1234', we only want the number
     describe google_resourcemanager_folder(name: name.split('/').last) do
       it { should exist }

templates/inspec/examples/google_resourcemanager_folder/google_resourcemanager_folder_attributes.erb

@@ -1,2 +1,3 @@
 folder = attribute('folder', default: <%= grab_attributes['folder'] -%>)
-organization = attribute('organization', default: <%= grab_attributes['organization'] -%>)
+gcp_organization_id = attribute(:gcp_organization_id, default: <%= external_attribute('gcp_organization_id') -%>, description: 'The identifier of the organization that is the parent of this folder')
+gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default:0, description:'Flag to enable privileged resources requiring elevated privileges in GCP.')

templates/inspec/examples/google_resourcemanager_folder/google_resourcemanager_folders.erb

@@ -1,6 +1,6 @@
 <% folder = grab_attributes['folder'] -%>
 describe.one do
-  google_resourcemanager_folders(parent: <%= doc_generation ? "'organizations/12345'" : "\"organizations/\#{organization['id']}\"" -%>).display_names.each do |display_name|
+  google_resourcemanager_folders(parent: <%= doc_generation ? "'organizations/12345'" : "\"organizations/\#{gcp_organization_id}\"" -%>).display_names.each do |display_name|
     describe display_name do
       it { should eq <%= doc_generation ? "'#{folder['display_name']}'" : "folder['display_name']" -%> }
     end

templates/inspec/integration_test_template.erb

@@ -13,7 +13,9 @@ title 'Test GCP <%= name -%> resource.'
 control '<%= name -%>-1.0' do
   impact 1.0
   title '<%= name -%> resource test'
-
+<% if privileged -%>
+  only_if { gcp_enable_privileged_resources.to_i == 1 && gcp_organization_id != ''}
+<% end # if privileged -%>
 <% if vcr_mode -%>
   VCR.use_cassette('<%= name -%>', :record => :<%= vcr_mode -%>) do
 <% end # if vcr_mode -%>

templates/inspec/plural_resource.erb

@@ -85,11 +85,10 @@ link_query = object.self_link_query || object.collection_url_response
     time_string ? Time.parse(time_string) : nil
   end
 
-<% base = "'#{object.self_link_url[0].join}'" -%>
   private
 
   def product_url
-    <%= object.product_url || base %>
+    '<%= object.product_url || object.self_link_url[0].join %>'
   end
 
   def resource_base_url

templates/inspec/tests/integration/build/gcp-mm.tf

@@ -110,12 +110,13 @@ variable "repository" {
   type = "map"
 }
 
-variable "organization" {
+variable "folder" {
   type = "map"
 }
 
-variable "folder" {
-  type = "map"
+variable "gcp_organization_id" {
+  type = "string"
+  default = "none"
 }
 
 resource "google_compute_ssl_policy" "custom-ssl-policy" {
@@ -452,13 +453,8 @@ resource "google_sourcerepo_repository" "gcp-inspec-sourcerepo-repository" {
   name = "${var.repository["name"]}"
 }
 
-data "google_organization" "org" {
-  count = "${var.gcp_enable_privileged_resources}"
-  organization = "${var.organization["id"]}"
-}
-
-resource "google_folder" "sales" {
-  count = "${var.gcp_enable_privileged_resources}"
+resource "google_folder" "inspec-gcp-folder" {
+  count = "${var.gcp_organization_id == "none" ? 0 : var.gcp_enable_privileged_resources}"
   display_name = "${var.folder["display_name"]}"
-  parent       = "${data.google_organization.org.name}"
+  parent       = "${var.gcp_organization_id}"
 }

templates/inspec/tests/integration/configuration/mm-attributes.yml

@@ -188,8 +188,5 @@ bigquery_table:
 repository:
   name: inspec-gcp-repository
 
-organization:
-  id: 953310715741
-
 folder:
   display_name: inspec-gcp-folder