InSpec Folder log sink resource (#2419)

Merged PR #2419.
GoogleCloudPlatform · Oct 3, 2019 · ec5e46c · ec5e46c
1 parent 0b1345c
commit ec5e46c
Show file tree

Hide file tree

Showing 9 changed files with 93 additions and 1 deletion.
diff --git a/build/inspec b/build/inspec
diff --git a/products/logging/api.yaml b/products/logging/api.yaml
@@ -268,3 +268,43 @@ objects:
         name: disabled
         description: |
           If set to true then this exclusion is disabled and it does not exclude any log entries.
+  - !ruby/object:Api::Resource
+    name: "FolderLogSink"
+    base_url: folders/{{folder}}/sinks
+    self_link: folders/{{folder}}/sinks/{{name}}
+    collection_url_key: 'sinks'
+    description: |
+      Describes a sink used to export log entries
+    properties:
+      - !ruby/object:Api::Type::String
+        name: folder
+        description: |
+          Id of the folder that this sink belongs to.
+        required: true
+      - !ruby/object:Api::Type::String
+        name: name
+        description: |
+          Name of the log sink.
+        required: true
+      - !ruby/object:Api::Type::String
+        name: filter
+        description: |
+          An advanced logs filter. The only exported log entries are those that are in the
+          resource owning the sink and that match the filter.
+      - !ruby/object:Api::Type::String
+        name: destination
+        description: |
+          The export destination.
+      - !ruby/object:Api::Type::String
+        name: writerIdentity
+        description: |
+          An IAM identity—a service account or group—under which Logging writes the exported
+          log entries to the sink's destination. This field is set by sinks.create and sinks.update
+          based on the value of uniqueWriterIdentity in those methods.
+      - !ruby/object:Api::Type::Boolean
+        name: includeChildren
+        description: |
+          If the field is false, the default, only the logs owned by the sink's parent resource are
+          available for export. If the field is true, then logs from all the projects, folders, and
+          billing accounts contained in the sink's parent resource are also available for export.
+          Whether a particular log entry from the children is exported depends on the sink's filter expression.
diff --git a/products/logging/inspec.yaml b/products/logging/inspec.yaml
@@ -22,4 +22,7 @@ overrides: !ruby/object:Overrides::ResourceOverrides
   FolderExclusion: !ruby/object:Overrides::Inspec::ResourceOverride
     # Creating a folder requires organization level privileges
     privileged: true
+  FolderLogSink: !ruby/object:Overrides::Inspec::ResourceOverride
+    # Creating a folder requires organization level privileges
+    privileged: true
 
diff --git a/products/logging/terraform.yaml b/products/logging/terraform.yaml
@@ -42,6 +42,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides
     exclude: true
   FolderExclusion: !ruby/object:Overrides::Terraform::ResourceOverride
     exclude: true
+  FolderLogSink: !ruby/object:Overrides::Terraform::ResourceOverride
+    exclude: true
 
 files: !ruby/object:Provider::Config::Files
   # These files have templating (ERB) code that will be run.

diff --git a/templates/inspec/examples/google_logging_folder_log_sink/google_logging_folder_log_sink.erb b/templates/inspec/examples/google_logging_folder_log_sink/google_logging_folder_log_sink.erb
@@ -0,0 +1,13 @@
+<% gcp_organization_id = "#{external_attribute('gcp_organization_id', doc_generation)}" -%>
+<% folder_sink = grab_attributes['folder_sink'] -%>
+# Getting folder sinks is complicated due to the name being generated by the server.
+# This can be drastically simplified if you have the folder name when writing the test
+describe.one do
+  google_resourcemanager_folders(parent: <%= doc_generation ? "'organizations/12345'" : "\"organizations/\#{gcp_organization_id}\"" -%>).names.each do |folder_name|
+    # name on a folder is in the form `folders/12345`
+    describe google_logging_folder_log_sink(folder: folder_name.split('/')[1], name: <%= doc_generation ? "'#{folder_sink['name']}'" : "folder_sink['name']" -%>) do
+      it { should exist }
+      its('filter') { should cmp <%= doc_generation ? "'#{folder_sink['filter']}'" : "folder_sink['filter']" -%> }
+    end
+  end
+end
diff --git a/...pec/examples/google_logging_folder_log_sink/google_logging_folder_log_sink_attributes.erb b/...pec/examples/google_logging_folder_log_sink/google_logging_folder_log_sink_attributes.erb
@@ -0,0 +1,3 @@
+folder_sink = attribute('folder_sink', default: <%= grab_attributes['folder_sink'] -%>)
+gcp_organization_id = attribute(:gcp_organization_id, default: <%= external_attribute('gcp_organization_id') -%>, description: 'The identifier of the organization that is the parent of the folder')
+gcp_enable_privileged_resources = attribute(:gcp_enable_privileged_resources, default:0, description:'Flag to enable privileged resources requiring elevated privileges in GCP.')
diff --git a/templates/inspec/examples/google_logging_folder_log_sink/google_logging_folder_log_sinks.erb b/templates/inspec/examples/google_logging_folder_log_sink/google_logging_folder_log_sinks.erb
@@ -0,0 +1,13 @@
+<% gcp_organization_id = "#{external_attribute('gcp_organization_id', doc_generation)}" -%>
+<% folder_sink = grab_attributes['folder_sink'] -%>
+# Getting folder sinks is complicated due to the name being generated by the server.
+# This can be drastically simplified if you have the folder name when writing the test
+describe.one do
+  google_resourcemanager_folders(parent: <%= doc_generation ? "'organizations/12345'" : "\"organizations/\#{gcp_organization_id}\"" -%>).names.each do |folder_name|
+    # name on a folder is in the form `folders/12345`
+    describe google_logging_folder_log_sinks(folder: folder_name.split('/')[1]) do
+      its('names') { should include <%= doc_generation ? "'#{folder_sink['name']}'" : "folder_sink['name']" -%> }
+      its('filters') { should include <%= doc_generation ? "'#{folder_sink['filter']}'" : "folder_sink['filter']" -%> }
+    end
+  end
+end
diff --git a/templates/inspec/tests/integration/build/gcp-mm.tf b/templates/inspec/tests/integration/build/gcp-mm.tf
@@ -165,6 +165,10 @@ variable "filestore_instance" {
   type = "map"
 }
 
+variable "folder_sink" {
+  type = "map"
+}
+
 resource "google_compute_ssl_policy" "custom-ssl-policy" {
   name            = "${var.ssl_policy["name"]}"
   min_tls_version = "${var.ssl_policy["min_tls_version"]}"
@@ -699,3 +703,13 @@ resource "google_filestore_instance" "instance" {
     modes   = [var.filestore_instance["network_mode"]]
   }
 }
+
+resource "google_logging_folder_sink" "folder-sink" {
+  count       = "${var.gcp_organization_id == "" ? 0 : var.gcp_enable_privileged_resources}"
+  name        = var.folder_sink.name
+  folder      = google_folder.inspec-gcp-folder.0.name
+
+  destination = "storage.googleapis.com/${google_storage_bucket.generic-storage-bucket.name}"
+
+  filter      = var.folder_sink.filter
+}
diff --git a/templates/inspec/tests/integration/configuration/mm-attributes.yml b/templates/inspec/tests/integration/configuration/mm-attributes.yml
@@ -276,3 +276,7 @@ filestore_instance:
   fileshare_name: inspecgcp
   network_name: default
   network_mode: MODE_IPV4
+
+folder_sink:
+  name: inspec-gcp-folder-sink
+  filter: resource.type = gce_instance AND severity >= ERROR
+43 −0		docs/resources/google_logging_folder_log_sink.md
+41 −0		docs/resources/google_logging_folder_log_sinks.md
+70 −0		libraries/google_logging_folder_log_sink.rb
+94 −0		libraries/google_logging_folder_log_sinks.rb
+14 −0		test/integration/build/gcp-mm.tf
+4 −0		test/integration/configuration/mm-attributes.yml
+36 −0		test/integration/verify/controls/google_logging_folder_log_sink.rb
+36 −0		test/integration/verify/controls/google_logging_folder_log_sinks.rb