From c159d3acba778b09f1ecea8aeff4dc661deae434 Mon Sep 17 00:00:00 2001 From: sa-progress Date: Thu, 4 Aug 2022 20:02:01 +0530 Subject: [PATCH 1/4] cloud-kms-key-rings-crypto-keys-crypto-key-versions resource added Signed-off-by: sa-progress --- .../property/cryptokeyversion_attestation.rb | 37 ++++++ ...rsion_external_protection_level_options.rb | 37 ++++++ libraries/google_kms_crypto_key_version.rb | 92 ++++++++++++++ libraries/google_kms_crypto_key_versions.rb | 114 ++++++++++++++++++ .../controls/google_kms_crypto_key_version.md | 113 +++++++++++++++++ .../controls/google_kms_crypto_key_version.rb | 39 ++++++ .../google_kms_crypto_key_versions.md | 44 +++++++ .../google_kms_crypto_key_versions.rb | 31 +++++ 8 files changed, 507 insertions(+) create mode 100644 libraries/google/kms/property/cryptokeyversion_attestation.rb create mode 100644 libraries/google/kms/property/cryptokeyversion_external_protection_level_options.rb create mode 100644 libraries/google_kms_crypto_key_version.rb create mode 100644 libraries/google_kms_crypto_key_versions.rb create mode 100644 test/integration/verify/controls/google_kms_crypto_key_version.md create mode 100644 test/integration/verify/controls/google_kms_crypto_key_version.rb create mode 100644 test/integration/verify/controls/google_kms_crypto_key_versions.md create mode 100644 test/integration/verify/controls/google_kms_crypto_key_versions.rb diff --git a/libraries/google/kms/property/cryptokeyversion_attestation.rb b/libraries/google/kms/property/cryptokeyversion_attestation.rb new file mode 100644 index 000000000..dc6d4a011 --- /dev/null +++ b/libraries/google/kms/property/cryptokeyversion_attestation.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +module GoogleInSpec + module KMS + module Property + class CryptoKeyVersionAttestation + attr_reader :format + + attr_reader :content + + def initialize(args = nil, parent_identifier = nil) + return if args.nil? + @parent_identifier = parent_identifier + @format = args['format'] + @content = args['content'] + end + + def to_s + "#{@parent_identifier} CryptoKeyVersionAttestation" + end + end + end + end +end diff --git a/libraries/google/kms/property/cryptokeyversion_external_protection_level_options.rb b/libraries/google/kms/property/cryptokeyversion_external_protection_level_options.rb new file mode 100644 index 000000000..94e53aecb --- /dev/null +++ b/libraries/google/kms/property/cryptokeyversion_external_protection_level_options.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +module GoogleInSpec + module KMS + module Property + class CryptoKeyVersionExternalProtectionLevelOptions + attr_reader :external_key_uri + + attr_reader :ekm_connection_key_path + + def initialize(args = nil, parent_identifier = nil) + return if args.nil? + @parent_identifier = parent_identifier + @external_key_uri = args['externalKeyUri'] + @ekm_connection_key_path = args['ekmConnectionKeyPath'] + end + + def to_s + "#{@parent_identifier} CryptoKeyVersionExternalProtectionLevelOptions" + end + end + end + end +end diff --git a/libraries/google_kms_crypto_key_version.rb b/libraries/google_kms_crypto_key_version.rb new file mode 100644 index 000000000..8498dc3c8 --- /dev/null +++ b/libraries/google_kms_crypto_key_version.rb @@ -0,0 +1,92 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +require 'google/kms/property/cryptokeyversion_attestation' +require 'google/kms/property/cryptokeyversion_external_protection_level_options' + +# A provider to manage Cloud Key Management Service resources. +class KMSCryptoKeyVersion < GcpResourceBase + name 'google_kms_crypto_key_version' + desc 'CryptoKeyVersion' + supports platform: 'gcp' + + attr_reader :params + attr_reader :name + attr_reader :create_time + attr_reader :generate_time + attr_reader :destroy_time + attr_reader :destroy_event_time + attr_reader :state + attr_reader :protection_level + attr_reader :algorithm + attr_reader :attestation + attr_reader :import_job + attr_reader :import_time + attr_reader :import_failure_reason + attr_reader :external_protection_level_options + attr_reader :reimport_eligible + attr_reader :key_ring + attr_reader :crypto_key + + def initialize(params) + super(params.merge({ use_http_transport: true })) + @params = params + @fetched = @connection.fetch(product_url(params[:beta]), resource_base_url, params, 'Get') + parse unless @fetched.nil? + end + + def parse + @name = @fetched['name'] + @create_time = parse_time_string(@fetched['createTime']) + @generate_time = parse_time_string(@fetched['generateTime']) + @destroy_time = parse_time_string(@fetched['destroyTime']) + @destroy_event_time = parse_time_string(@fetched['destroyEventTime']) + @state = @fetched['state'] + @protection_level = @fetched['protectionLevel'] + @algorithm = @fetched['algorithm'] + @attestation = GoogleInSpec::KMS::Property::CryptoKeyVersionAttestation.new(@fetched['attestation'], to_s) + @import_job = @fetched['importJob'] + @import_time = parse_time_string(@fetched['importTime']) + @import_failure_reason = @fetched['importFailureReason'] + @external_protection_level_options = GoogleInSpec::KMS::Property::CryptoKeyVersionExternalProtectionLevelOptions.new(@fetched['externalProtectionLevelOptions'], to_s) + @reimport_eligible = @fetched['reimportEligible'] + @key_ring = @fetched['keyRing'] + @crypto_key = @fetched['cryptoKey'] + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + def exists? + !@fetched.nil? + end + + def to_s + "CryptoKeyVersion #{@params[:name]}" + end + + private + + def product_url(_ = nil) + 'https://cloudkms.googleapis.com/v1/' + end + + def resource_base_url + 'projects/{{project}}/locations/{{location}}/keyRings/{{key_ring}}/cryptoKeys/{{crypto_key}}/cryptoKeyVersions/{{name}}' + end +end diff --git a/libraries/google_kms_crypto_key_versions.rb b/libraries/google_kms_crypto_key_versions.rb new file mode 100644 index 000000000..7ff562095 --- /dev/null +++ b/libraries/google_kms_crypto_key_versions.rb @@ -0,0 +1,114 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +class KMSCryptoKeyVersions < GcpResourceBase + name 'google_kms_crypto_key_versions' + desc 'CryptoKeyVersion plural resource' + supports platform: 'gcp' + + attr_reader :table + + filter_table_config = FilterTable.create + + filter_table_config.add(:names, field: :name) + filter_table_config.add(:create_times, field: :create_time) + filter_table_config.add(:generate_times, field: :generate_time) + filter_table_config.add(:destroy_times, field: :destroy_time) + filter_table_config.add(:destroy_event_times, field: :destroy_event_time) + filter_table_config.add(:states, field: :state) + filter_table_config.add(:protection_levels, field: :protection_level) + filter_table_config.add(:algorithms, field: :algorithm) + filter_table_config.add(:attestations, field: :attestation) + filter_table_config.add(:import_jobs, field: :import_job) + filter_table_config.add(:import_times, field: :import_time) + filter_table_config.add(:import_failure_reasons, field: :import_failure_reason) + filter_table_config.add(:external_protection_level_options, field: :external_protection_level_options) + filter_table_config.add(:reimport_eligibles, field: :reimport_eligible) + filter_table_config.add(:key_rings, field: :key_ring) + filter_table_config.add(:crypto_keys, field: :crypto_key) + + filter_table_config.connect(self, :table) + + def initialize(params = {}) + super(params.merge({ use_http_transport: true })) + @params = params + @table = fetch_wrapped_resource('cryptoKeyVersions') + end + + def fetch_wrapped_resource(wrap_path) + # fetch_resource returns an array of responses (to handle pagination) + result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get') + return if result.nil? + + # Conversion of string -> object hash to symbol -> object hash that InSpec needs + converted = [] + result.each do |response| + next if response.nil? || !response.key?(wrap_path) + response[wrap_path].each do |hash| + hash_with_symbols = {} + hash.each_key do |key| + name, value = transform(key, hash) + hash_with_symbols[name] = value + end + converted.push(hash_with_symbols) + end + end + + converted + end + + def transform(key, value) + return transformers[key].call(value) if transformers.key?(key) + + [key.to_sym, value] + end + + def transformers + { + 'name' => ->(obj) { return :name, obj['name'] }, + 'createTime' => ->(obj) { return :create_time, parse_time_string(obj['createTime']) }, + 'generateTime' => ->(obj) { return :generate_time, parse_time_string(obj['generateTime']) }, + 'destroyTime' => ->(obj) { return :destroy_time, parse_time_string(obj['destroyTime']) }, + 'destroyEventTime' => ->(obj) { return :destroy_event_time, parse_time_string(obj['destroyEventTime']) }, + 'state' => ->(obj) { return :state, obj['state'] }, + 'protectionLevel' => ->(obj) { return :protection_level, obj['protectionLevel'] }, + 'algorithm' => ->(obj) { return :algorithm, obj['algorithm'] }, + 'attestation' => ->(obj) { return :attestation, GoogleInSpec::KMS::Property::CryptoKeyVersionAttestation.new(obj['attestation'], to_s) }, + 'importJob' => ->(obj) { return :import_job, obj['importJob'] }, + 'importTime' => ->(obj) { return :import_time, parse_time_string(obj['importTime']) }, + 'importFailureReason' => ->(obj) { return :import_failure_reason, obj['importFailureReason'] }, + 'externalProtectionLevelOptions' => ->(obj) { return :external_protection_level_options, GoogleInSpec::KMS::Property::CryptoKeyVersionExternalProtectionLevelOptions.new(obj['externalProtectionLevelOptions'], to_s) }, + 'reimportEligible' => ->(obj) { return :reimport_eligible, obj['reimportEligible'] }, + 'keyRing' => ->(obj) { return :key_ring, obj['keyRing'] }, + 'cryptoKey' => ->(obj) { return :crypto_key, obj['cryptoKey'] }, + } + end + + # Handles parsing RFC3339 time string + def parse_time_string(time_string) + time_string ? Time.parse(time_string) : nil + end + + private + + def product_url(_ = nil) + 'https://cloudkms.googleapis.com/v1/' + end + + def resource_base_url + 'projects/{{project}}/locations/{{location}}/keyRings/{{key_ring}}/cryptoKeys/{{crypto_key}}/cryptoKeyVersions' + end +end diff --git a/test/integration/verify/controls/google_kms_crypto_key_version.md b/test/integration/verify/controls/google_kms_crypto_key_version.md new file mode 100644 index 000000000..fce8cb9aa --- /dev/null +++ b/test/integration/verify/controls/google_kms_crypto_key_version.md @@ -0,0 +1,113 @@ +--- +title: About the google_kms_crypto_key_version resource +platform: gcp +--- + +## Syntax +A `google_kms_crypto_key_version` is used to test a Google CryptoKeyVersion resource + +## Examples +``` +describe google_kms_crypto_key_version(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring: 'kms-key-ring', crypto_key: '', name: 'kms-key') do + it { should exist } + its('crypto_key_name') { should cmp 'kms-key' } + its('primary_state') { should eq "ENABLED" } + its('purpose') { should eq "ENCRYPT_DECRYPT" } + its('next_rotation_time') { should be > Time.now - 100000 } + its('create_time') { should be > Time.now - 365*60*60*24*10 } +end + +describe google_kms_crypto_key_version(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring: 'kms-key-ring', crypto_key: '', name: "nonexistent") do + it { should_not exist } +end +``` + +## Properties +Properties that can be accessed from the `google_kms_crypto_key_version` resource: + + + * `name`: The resource name for the CryptoKey. + + * `create_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `generate_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `destroy_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `destroy_event_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `state`: The state of a CryptoKeyVersion, indicating if it can be used. + Possible values: + * CRYPTO_KEY_VERSION_STATE_UNSPECIFIED + * PENDING_GENERATION + * ENABLED + * DISABLED + * DESTROYED + * DESTROY_SCHEDULED + * PENDING_IMPORT + * IMPORT_FAILED + + * `protection_level`: ProtectionLevel specifies how cryptographic operations are performed. For more information, see Protection levels. + Possible values: + * PROTECTION_LEVEL_UNSPECIFIED + * SOFTWARE + * HSM + * EXTERNAL + * EXTERNAL_VPC + + * `algorithm`: The algorithm of the CryptoKeyVersion, indicating what parameters must be used for each cryptographic operation. The GOOGLE_SYMMETRIC_ENCRYPTION algorithm is usable with CryptoKey.purpose ENCRYPT_DECRYPT. Algorithms beginning with "RSA_SIGN_" are usable with CryptoKey.purpose ASYMMETRIC_SIGN. The fields in the name after "RSA_SIGN_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. For PSS, the salt length used is equal to the length of digest algorithm. For example, RSA_SIGN_PSS_2048_SHA256 will use PSS with a salt length of 256 bits or 32 bytes. Algorithms beginning with "RSA_DECRYPT_" are usable with CryptoKey.purpose ASYMMETRIC_DECRYPT. The fields in the name after "RSA_DECRYPT_" correspond to the following parameters: padding algorithm, modulus bit length, and digest algorithm. Algorithms beginning with "EC_SIGN_" are usable with CryptoKey.purpose ASYMMETRIC_SIGN. The fields in the name after "EC_SIGN_" correspond to the following parameters: elliptic curve, digest algorithm. Algorithms beginning with "HMAC_" are usable with CryptoKey.purpose MAC. The suffix following "HMAC_" corresponds to the hash algorithm being used (eg. SHA256). + Possible values: + * CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED + * GOOGLE_SYMMETRIC_ENCRYPTION + * RSA_SIGN_PSS_2048_SHA256 + * RSA_SIGN_PSS_3072_SHA256 + * RSA_SIGN_PSS_4096_SHA256 + * RSA_SIGN_PSS_4096_SHA512 + * RSA_SIGN_PKCS1_2048_SHA256 + * RSA_SIGN_PKCS1_3072_SHA256 + * RSA_SIGN_PKCS1_4096_SHA512 + * RSA_SIGN_PKCS1_4096_SHA256 + * RSA_SIGN_RAW_PKCS1_2048 + * RSA_SIGN_RAW_PKCS1_3072 + * RSA_SIGN_RAW_PKCS1_4096 + * RSA_DECRYPT_OAEP_2048_SHA256 + * RSA_DECRYPT_OAEP_3072_SHA256 + * RSA_DECRYPT_OAEP_4096_SHA256 + * RSA_DECRYPT_OAEP_4096_SHA512 + * RSA_DECRYPT_OAEP_2048_SHA1 + * RSA_DECRYPT_OAEP_3072_SHA1 + * RSA_DECRYPT_OAEP_4096_SHA1 + * EC_SIGN_P256_SHA256 + * EC_SIGN_P384_SHA384 + * EC_SIGN_SECP256K1_SHA256 + * HMAC_SHA256 + * EXTERNAL_SYMMETRIC_ENCRYPTION + + * `attestation`: Statement that was generated and signed by the key creator (for example, an HSM) at key creation time. Use this statement to verify attributes of the key as stored on the HSM, independently of Google. Only present if the chosen ImportMethod is one with a protection level of HSM. + + * `format`: The format of the attestation data. + + * `content`: The attestation data provided by the HSM when the key operation was performed. A base64-encoded string. + + * `import_job`: Output only. The name of the ImportJob used in the most recent import of this CryptoKeyVersion. Only present if the underlying key material was imported. + + * `import_time`: The time that this resource was created on the server. This is in RFC3339 text format. + + * `import_failure_reason`: Output only. The root cause of the most recent import failure. Only present if state is IMPORT_FAILED. + + * `external_protection_level_options`: ExternalProtectionLevelOptions stores a group of additional fields for configuring a CryptoKeyVersion that are specific to the EXTERNAL protection level and EXTERNAL_VPC protection levels. + + * `external_key_uri`: The URI for an external resource that this CryptoKeyVersion represents. + + * `ekm_connection_key_path`: The path to the external key material on the EKM when using EkmConnection e.g., "v0/my/key". Set this field instead of externalKeyUri when using an EkmConnection. + + * `reimport_eligible`: Output only. Whether or not this key version is eligible for reimport, by being specified as a target in ImportCryptoKeyVersionRequest.crypto_key_version. + + * `key_ring`: The KeyRing that this key belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}'`. + + * `crypto_key`: The KeyRing that this key belongs to. Format: `'projects/{{project}}/locations/{{location}}/keyRings/{{keyRing}}/cryptoKeys/{{cryptoKey}}'`. + + +## GCP Permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/test/integration/verify/controls/google_kms_crypto_key_version.rb b/test/integration/verify/controls/google_kms_crypto_key_version.rb new file mode 100644 index 000000000..3c654fa80 --- /dev/null +++ b/test/integration/verify/controls/google_kms_crypto_key_version.rb @@ -0,0 +1,39 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_kms_crypto_key_version resource.' + +gcp_project_id = input(:gcp_project_id, value: 'gcp_project_id', description: 'The GCP project identifier.') +gcp_location = input(:gcp_location, value: 'gcp_location', description: 'GCP location') +gcp_kms_key_ring_policy_name = input(:gcp_kms_key_ring_policy_name, value: 'gcp_kms_key_ring_policy_name', description: 'Key ring name') +gcp_kms_crypto_key_name_policy = input(:gcp_kms_crypto_key_name_policy, value: 'gcp_kms_crypto_key_name_policy', description: 'Key name') +gcp_enable_privileged_resources = input(:gcp_enable_privileged_resources, value: 'gcp_enable_privileged_resources', description: 'If we are running tests with escalated permissions(required for this test)') +gcp_organization_id = input(:gcp_organization_id, value: gcp_organization_id, description: 'The identifier of the organization') +control 'google_kms_crypto_key_version-1.0' do + impact 1.0 + title 'google_kms_crypto_key_version resource test' + + describe google_kms_crypto_key_version(project: gcp_project_id, location: gcp_location, key_ring: gcp_kms_key_ring_policy_name, crypto_key: gcp_kms_crypto_key, name: gcp_kms_crypto_key_name_policy) do + it { should exist } + its('crypto_key_name') { should cmp gcp_kms_crypto_key_name_policy } + its('primary_state') { should eq "ENABLED" } + its('purpose') { should eq "ENCRYPT_DECRYPT" } + its('next_rotation_time') { should be > Time.now - 100000 } + its('create_time') { should be > Time.now - 365*60*60*24*10 } + end + + describe google_kms_crypto_key_version(project: gcp_project_id, location: gcp_location, key_ring: gcp_kms_key_ring_policy_name, crypto_key: gcp_kms_crypto_key, name: "nonexistent") do + it { should_not exist } + end +end diff --git a/test/integration/verify/controls/google_kms_crypto_key_versions.md b/test/integration/verify/controls/google_kms_crypto_key_versions.md new file mode 100644 index 000000000..9b1be4756 --- /dev/null +++ b/test/integration/verify/controls/google_kms_crypto_key_versions.md @@ -0,0 +1,44 @@ +--- +title: About the google_kms_crypto_key_versions resource +platform: gcp +--- + +## Syntax +A `google_kms_crypto_key_versions` is used to test a Google CryptoKeyVersion resource + +## Examples +``` +describe google_kms_crypto_key_versions(project: 'chef-gcp-inspec', location: 'europe-west2', key_ring: 'kms-key-ring', crypto_key: '') do + its('count') { should be >= 1 } + its('crypto_key_names') { should include 'kms-key' } +end +``` + +## Properties +Properties that can be accessed from the `google_kms_crypto_key_versions` resource: + +See [google_kms_crypto_key_version.md](google_kms_crypto_key_version.md) for more detailed information + * `names`: an array of `google_kms_crypto_key_version` name + * `create_times`: an array of `google_kms_crypto_key_version` create_time + * `generate_times`: an array of `google_kms_crypto_key_version` generate_time + * `destroy_times`: an array of `google_kms_crypto_key_version` destroy_time + * `destroy_event_times`: an array of `google_kms_crypto_key_version` destroy_event_time + * `states`: an array of `google_kms_crypto_key_version` state + * `protection_levels`: an array of `google_kms_crypto_key_version` protection_level + * `algorithms`: an array of `google_kms_crypto_key_version` algorithm + * `attestations`: an array of `google_kms_crypto_key_version` attestation + * `import_jobs`: an array of `google_kms_crypto_key_version` import_job + * `import_times`: an array of `google_kms_crypto_key_version` import_time + * `import_failure_reasons`: an array of `google_kms_crypto_key_version` import_failure_reason + * `external_protection_level_options`: an array of `google_kms_crypto_key_version` external_protection_level_options + * `reimport_eligibles`: an array of `google_kms_crypto_key_version` reimport_eligible + * `key_rings`: an array of `google_kms_crypto_key_version` key_ring + * `crypto_keys`: an array of `google_kms_crypto_key_version` crypto_key + +## Filter Criteria +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP Permissions + +Ensure the [Cloud Key Management Service (KMS) API](https://console.cloud.google.com/apis/library/cloudkms.googleapis.com/) is enabled for the current project. diff --git a/test/integration/verify/controls/google_kms_crypto_key_versions.rb b/test/integration/verify/controls/google_kms_crypto_key_versions.rb new file mode 100644 index 000000000..7828fde27 --- /dev/null +++ b/test/integration/verify/controls/google_kms_crypto_key_versions.rb @@ -0,0 +1,31 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_kms_crypto_key_versions resource.' + +gcp_project_id = input(:gcp_project_id, value: 'gcp_project_id', description: 'The GCP project identifier.') +gcp_location = input(:gcp_location, value: 'gcp_location', description: 'GCP location') +gcp_kms_key_ring_policy_name = input(:gcp_kms_key_ring_policy_name, value: 'gcp_kms_key_ring_policy_name', description: 'Key ring name') +gcp_kms_crypto_key_name_policy = input(:gcp_kms_crypto_key_name_policy, value: 'gcp_kms_crypto_key_name_policy', description: 'Key name') +gcp_enable_privileged_resources = input(:gcp_enable_privileged_resources, value: 'gcp_enable_privileged_resources', description: 'If we are running tests with escalated permissions(required for this test)') +gcp_organization_id = input(:gcp_organization_id, value: gcp_organization_id, description: 'The identifier of the organization') +control 'google_kms_crypto_key_versions-1.0' do + impact 1.0 + title 'google_kms_crypto_key_versions resource test' + + describe google_kms_crypto_key_versions(project: gcp_project_id, location: gcp_location, key_ring: gcp_kms_key_ring_policy_name, crypto_key: gcp_kms_crypto_key) do + its('count') { should be >= 1 } + its('crypto_key_names') { should include gcp_kms_crypto_key_name_policy } + end +end From 6898356700d78e54bd3c56d729d0caf27745f702 Mon Sep 17 00:00:00 2001 From: sa-progress Date: Fri, 5 Aug 2022 13:39:24 +0530 Subject: [PATCH 2/4] cloud-kms-key-rings-crypto-keys-crypto-key-versions resource added Signed-off-by: sa-progress --- .../controls => docs/resources}/google_kms_crypto_key_version.md | 0 .../controls => docs/resources}/google_kms_crypto_key_versions.md | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {test/integration/verify/controls => docs/resources}/google_kms_crypto_key_version.md (100%) rename {test/integration/verify/controls => docs/resources}/google_kms_crypto_key_versions.md (100%) diff --git a/test/integration/verify/controls/google_kms_crypto_key_version.md b/docs/resources/google_kms_crypto_key_version.md similarity index 100% rename from test/integration/verify/controls/google_kms_crypto_key_version.md rename to docs/resources/google_kms_crypto_key_version.md diff --git a/test/integration/verify/controls/google_kms_crypto_key_versions.md b/docs/resources/google_kms_crypto_key_versions.md similarity index 100% rename from test/integration/verify/controls/google_kms_crypto_key_versions.md rename to docs/resources/google_kms_crypto_key_versions.md From 9e5d068a15e98c4d7cfbfc01755b2799128ebdd5 Mon Sep 17 00:00:00 2001 From: balasubramanian-s Date: Fri, 19 Jan 2024 15:27:09 +0530 Subject: [PATCH 3/4] add tf scripts Signed-off-by: balasubramanian-s --- libraries/google_kms_crypto_key_versions.rb | 32 +++++++++---------- test/integration/build/gcp-mm.tf | 19 +++++++++++ .../configuration/mm-attributes.yml | 5 +++ .../controls/google_kms_crypto_key_version.rb | 17 +++++----- .../google_kms_crypto_key_versions.rb | 12 +++---- 5 files changed, 54 insertions(+), 31 deletions(-) diff --git a/libraries/google_kms_crypto_key_versions.rb b/libraries/google_kms_crypto_key_versions.rb index 7ff562095..f73057bf2 100644 --- a/libraries/google_kms_crypto_key_versions.rb +++ b/libraries/google_kms_crypto_key_versions.rb @@ -78,22 +78,22 @@ def transform(key, value) def transformers { - 'name' => ->(obj) { return :name, obj['name'] }, - 'createTime' => ->(obj) { return :create_time, parse_time_string(obj['createTime']) }, - 'generateTime' => ->(obj) { return :generate_time, parse_time_string(obj['generateTime']) }, - 'destroyTime' => ->(obj) { return :destroy_time, parse_time_string(obj['destroyTime']) }, - 'destroyEventTime' => ->(obj) { return :destroy_event_time, parse_time_string(obj['destroyEventTime']) }, - 'state' => ->(obj) { return :state, obj['state'] }, - 'protectionLevel' => ->(obj) { return :protection_level, obj['protectionLevel'] }, - 'algorithm' => ->(obj) { return :algorithm, obj['algorithm'] }, - 'attestation' => ->(obj) { return :attestation, GoogleInSpec::KMS::Property::CryptoKeyVersionAttestation.new(obj['attestation'], to_s) }, - 'importJob' => ->(obj) { return :import_job, obj['importJob'] }, - 'importTime' => ->(obj) { return :import_time, parse_time_string(obj['importTime']) }, - 'importFailureReason' => ->(obj) { return :import_failure_reason, obj['importFailureReason'] }, - 'externalProtectionLevelOptions' => ->(obj) { return :external_protection_level_options, GoogleInSpec::KMS::Property::CryptoKeyVersionExternalProtectionLevelOptions.new(obj['externalProtectionLevelOptions'], to_s) }, - 'reimportEligible' => ->(obj) { return :reimport_eligible, obj['reimportEligible'] }, - 'keyRing' => ->(obj) { return :key_ring, obj['keyRing'] }, - 'cryptoKey' => ->(obj) { return :crypto_key, obj['cryptoKey'] }, + 'name' => ->(obj) { [:name, obj['name']] }, + 'createTime' => ->(obj) { [:create_time, parse_time_string(obj['createTime'])] }, + 'generateTime' => ->(obj) { [:generate_time, parse_time_string(obj['generateTime'])] }, + 'destroyTime' => ->(obj) { [:destroy_time, parse_time_string(obj['destroyTime'])] }, + 'destroyEventTime' => ->(obj) { [:destroy_event_time, parse_time_string(obj['destroyEventTime'])] }, + 'state' => ->(obj) { [:state, obj['state']] }, + 'protectionLevel' => ->(obj) { [:protection_level, obj['protectionLevel']] }, + 'algorithm' => ->(obj) { [:algorithm, obj['algorithm']] }, + 'attestation' => ->(obj) { [:attestation, GoogleInSpec::KMS::Property::CryptoKeyVersionAttestation.new(obj['attestation'], to_s)] }, + 'importJob' => ->(obj) { [:import_job, obj['importJob']] }, + 'importTime' => ->(obj) { [:import_time, parse_time_string(obj['importTime'])] }, + 'importFailureReason' => ->(obj) { [:import_failure_reason, obj['importFailureReason']] }, + 'externalProtectionLevelOptions' => ->(obj) { [:external_protection_level_options, GoogleInSpec::KMS::Property::CryptoKeyVersionExternalProtectionLevelOptions.new(obj['externalProtectionLevelOptions'], to_s)] }, + 'reimportEligible' => ->(obj) { [:reimport_eligible, obj['reimportEligible']] }, + 'keyRing' => ->(obj) { [:key_ring, obj['keyRing']] }, + 'cryptoKey' => ->(obj) { [:crypto_key, obj['cryptoKey']] }, } end diff --git a/test/integration/build/gcp-mm.tf b/test/integration/build/gcp-mm.tf index 1c4fdb970..a1a77e023 100644 --- a/test/integration/build/gcp-mm.tf +++ b/test/integration/build/gcp-mm.tf @@ -1700,3 +1700,22 @@ resource "google_compute_region_network_endpoint_group" "region_network_endpoint region = var.region_network_endpoint_group.region psc_target_service = var.region_network_endpoint_group.target_service } + +variable "crypto_key_version" { + type = any +} + +resource "google_kms_key_ring" "keyring" { + name = var.crypto_key_version.key_ring + location = var.crypto_key_version.region +} + +resource "google_kms_crypto_key" "cryptokey" { + name = var.crypto_key_version.crypto_key + key_ring = google_kms_key_ring.keyring.id + rotation_period = "100000s" +} + +resource "google_kms_crypto_key_version" "example-key" { + crypto_key = google_kms_crypto_key.cryptokey.id +} diff --git a/test/integration/configuration/mm-attributes.yml b/test/integration/configuration/mm-attributes.yml index 7fd96ff80..0e7d40d62 100644 --- a/test/integration/configuration/mm-attributes.yml +++ b/test/integration/configuration/mm-attributes.yml @@ -632,3 +632,8 @@ apigee_organization_apis: name : "firstproxy", parent : "organizations/ppradhan", api_proxy_type : "PROGRAMMABLE" + +crypto_key_version: + key_ring: "gcp-inspec-kms-key-ring" + crypto_key: "gcp-inspec-kms-crypto-key-policy" + region: "us-central-1" diff --git a/test/integration/verify/controls/google_kms_crypto_key_version.rb b/test/integration/verify/controls/google_kms_crypto_key_version.rb index 3c654fa80..8a4bd376c 100644 --- a/test/integration/verify/controls/google_kms_crypto_key_version.rb +++ b/test/integration/verify/controls/google_kms_crypto_key_version.rb @@ -14,26 +14,25 @@ title 'Test GCP google_kms_crypto_key_version resource.' -gcp_project_id = input(:gcp_project_id, value: 'gcp_project_id', description: 'The GCP project identifier.') -gcp_location = input(:gcp_location, value: 'gcp_location', description: 'GCP location') -gcp_kms_key_ring_policy_name = input(:gcp_kms_key_ring_policy_name, value: 'gcp_kms_key_ring_policy_name', description: 'Key ring name') -gcp_kms_crypto_key_name_policy = input(:gcp_kms_crypto_key_name_policy, value: 'gcp_kms_crypto_key_name_policy', description: 'Key name') -gcp_enable_privileged_resources = input(:gcp_enable_privileged_resources, value: 'gcp_enable_privileged_resources', description: 'If we are running tests with escalated permissions(required for this test)') -gcp_organization_id = input(:gcp_organization_id, value: gcp_organization_id, description: 'The identifier of the organization') +gcp_project_id = input(:gcp_project_id, value: 'ppradhan', description: 'The GCP project identifier.') +gcp_location = input(:gcp_location, value: 'us-central1', description: 'GCP location') +gcp_kms_key_ring_policy_name = input(:gcp_kms_key_ring_policy_name, value: 'gcp-inspec-kms-key-ring-aytsuncucfsfrvochsuubyovf', description: 'Key ring name') +gcp_kms_crypto_key = input(:gcp_kms_crypto_key, value: 'gcp-inspec-kms-crypto-key-policy-rbgvmohbidtgdzfatbzwckttd', description: 'Key name') +gcp_kms_crypto_key_version = input(:gcp_kms_crypto_key_version, value: '1', description: 'Version name') control 'google_kms_crypto_key_version-1.0' do impact 1.0 title 'google_kms_crypto_key_version resource test' - describe google_kms_crypto_key_version(project: gcp_project_id, location: gcp_location, key_ring: gcp_kms_key_ring_policy_name, crypto_key: gcp_kms_crypto_key, name: gcp_kms_crypto_key_name_policy) do + describe google_kms_crypto_key_version(project: gcp_project_id, location: gcp_location, key_ring: gcp_kms_key_ring_policy_name, crypto_key: gcp_kms_crypto_key, name: gcp_kms_crypto_key_version) do it { should exist } - its('crypto_key_name') { should cmp gcp_kms_crypto_key_name_policy } + its('crypto_key_name') { should cmp gcp_kms_crypto_key } its('primary_state') { should eq "ENABLED" } its('purpose') { should eq "ENCRYPT_DECRYPT" } its('next_rotation_time') { should be > Time.now - 100000 } its('create_time') { should be > Time.now - 365*60*60*24*10 } end - describe google_kms_crypto_key_version(project: gcp_project_id, location: gcp_location, key_ring: gcp_kms_key_ring_policy_name, crypto_key: gcp_kms_crypto_key, name: "nonexistent") do + describe google_kms_crypto_key_version(project: gcp_project_id, location: gcp_location, key_ring: gcp_kms_key_ring_policy_name, crypto_key: gcp_kms_crypto_key, name: gcp_kms_crypto_key_version) do it { should_not exist } end end diff --git a/test/integration/verify/controls/google_kms_crypto_key_versions.rb b/test/integration/verify/controls/google_kms_crypto_key_versions.rb index 7828fde27..0fe3cdfb4 100644 --- a/test/integration/verify/controls/google_kms_crypto_key_versions.rb +++ b/test/integration/verify/controls/google_kms_crypto_key_versions.rb @@ -14,12 +14,12 @@ title 'Test GCP google_kms_crypto_key_versions resource.' -gcp_project_id = input(:gcp_project_id, value: 'gcp_project_id', description: 'The GCP project identifier.') -gcp_location = input(:gcp_location, value: 'gcp_location', description: 'GCP location') -gcp_kms_key_ring_policy_name = input(:gcp_kms_key_ring_policy_name, value: 'gcp_kms_key_ring_policy_name', description: 'Key ring name') -gcp_kms_crypto_key_name_policy = input(:gcp_kms_crypto_key_name_policy, value: 'gcp_kms_crypto_key_name_policy', description: 'Key name') -gcp_enable_privileged_resources = input(:gcp_enable_privileged_resources, value: 'gcp_enable_privileged_resources', description: 'If we are running tests with escalated permissions(required for this test)') -gcp_organization_id = input(:gcp_organization_id, value: gcp_organization_id, description: 'The identifier of the organization') +gcp_project_id = input(:gcp_project_id, value: 'ppradhan', description: 'The GCP project identifier.') +gcp_location = input(:gcp_location, value: 'us-central1', description: 'GCP location') +gcp_kms_key_ring_policy_name = input(:gcp_kms_key_ring_policy_name, value: 'gcp-inspec-kms-key-ring-aytsuncucfsfrvochsuubyovf', description: 'Key ring name') +gcp_kms_crypto_key = input(:gcp_kms_crypto_key, value: 'gcp-inspec-kms-crypto-key-policy-rbgvmohbidtgdzfatbzwckttd', description: 'Key name') +gcp_kms_crypto_key_version = input(:gcp_kms_crypto_key_version, value: '1', description: 'Version name') + control 'google_kms_crypto_key_versions-1.0' do impact 1.0 title 'google_kms_crypto_key_versions resource test' From 8d85a2cb6448ace173a3b35a4039494336706c5f Mon Sep 17 00:00:00 2001 From: balasubramanian-s Date: Mon, 22 Jan 2024 11:24:15 +0530 Subject: [PATCH 4/4] update readme Signed-off-by: balasubramanian-s --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 69ec0de17..1a0ea143b 100644 --- a/README.md +++ b/README.md @@ -280,6 +280,7 @@ The following resources are available in the InSpec GCP Profile | [google_kms_crypto_key](docs/resources/google_kms_crypto_key.md) | [google_kms_crypto_keys](docs/resources/google_kms_crypto_keys.md) | | [google_kms_crypto_key_iam_binding](docs/resources/google_kms_crypto_key_iam_binding.md) | [google_kms_crypto_key_iam_bindings](docs/resources/google_kms_crypto_key_iam_bindings.md) | | [google_kms_crypto_key_iam_policy](docs/resources/google_kms_crypto_key_iam_policy.md) | No Plural Resource | +| [google_kms_crypto_key_version](docs/resources/google_kms_crypto_key_version.md) | [google_kms_crypto_key_versions](docs/resources/google_kms_crypto_key_versions.md) | | [google_kms_ekm_connection](docs/resources/google_kms_ekm_connection.md) | [google_kms_ekm_connections](docs/resources/google_kms_ekm_connections.md) | | [google_kms_key_ring](docs/resources/google_kms_key_ring.md) | [google_kms_key_rings](docs/resources/google_kms_key_rings.md) | | [google_kms_key_ring_iam_binding](docs/resources/google_kms_key_ring_iam_binding.md) | [google_kms_key_ring_iam_bindings](docs/resources/google_kms_key_ring_iam_bindings.md) |