inspec-cloudformation 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 0bac1eaa6b1118ac6bb8066a77210d81199502aa46c8c6d0a66280f098fd0fca
+  data.tar.gz: 93fb485ae89f6c423a3dc815b1acd5a892e8d9849487d5ba562526b0b421cad9
+SHA512:
+  metadata.gz: af62285f8c803d4e32303a271469412ecd78f28d6534a1e198d721ab264bf13b8da5130755dd14e54440b9e47bbcc25211e9796930e2a120ddd568d00dc882c0
+  data.tar.gz: 2b3692f7fbd654e8de573e58a8708dbbaade5e43658aefad4aeea1bcb0bb5bbab30e6673e0f16c7c53f11e65c519cea3edebbb775a68ef86c764460ff712939b

data/Gemfile

@@ -0,0 +1,18 @@
+source "https://rubygems.org"
+
+gemspec
+
+# gem "inspec-bin"
+gem 'rake-release'
+
+
+
+group :development do
+  gem "chefstyle", "2.2.0"
+  gem "m"
+  gem "bundler"
+  gem "byebug"
+  gem "minitest"
+  gem "rake"
+  gem "rubocop"
+end

data/README.md

@@ -0,0 +1 @@
+# inspec-cloudformation

data/inspec-cloudformation.gemspec

@@ -0,0 +1,38 @@
+# As plugins are usually packaged and distributed as a RubyGem,
+# we have to provide a .gemspec file, which controls the gembuild
+# and publish process.  This is a fairly generic gemspec.
+
+# It is traditional in a gemspec to dynamically load the current version
+# from a file in the source tree.  The next three lines make that happen.
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "inspec-cloudformation/version"
+
+Gem::Specification.new do |spec|
+  # Importantly, all InSpec plugins must be prefixed with `inspec-` (most
+  # plugins) or `train-` (plugins which add new connectivity features).
+  spec.name          = "inspec-cloudformation"
+
+  # It is polite to namespace your plugin under InspecPlugins::YourPluginInCamelCase
+  spec.version       = InspecPlugins::Vault::VERSION
+  spec.authors       = ["Andy Boutte"]
+  spec.email         = ["andyboutte@gmail.com"]
+  spec.summary       = "Use CloudFormation Outputs in your InSpec profiles"
+  spec.description   = "This plugin allows InSpec 'inputs' to be provided by CloudFormation Outputs."
+  spec.homepage      = "https://github.com/aboutte/inspec-cloudformation"
+  spec.license       = "Apache-2.0"
+
+  # Though complicated-looking, this is pretty standard for a gemspec.
+  # It just filters what will actually be packaged in the gem (leaving
+  # out tests, etc)
+  spec.files = %w{
+    README.md inspec-cloudformation.gemspec Gemfile
+  } + Dir.glob(
+    "lib/**/*", File::FNM_DOTMATCH
+  ).reject { |f| File.directory?(f) }
+  spec.require_paths = ["lib"]
+
+  # If you rely on any other gems, list them here with any constraints.
+  # This is how `inspec plugin install` is able to manage your dependencies.
+
+end

data/lib/inspec-cloudformation/input.rb

@@ -0,0 +1,156 @@
+require 'aws-sdk-cloudformation'
+
+
+
+
+
+
+
+
+
+
+# See https://github.com/inspec/inspec/blob/master/docs/dev/plugins.md#implementing-input-plugins
+
+module InspecPlugins::Vault
+  class Input < Inspec.plugin(2, :input)
+
+    VALID_PATTERNS = [
+      Regexp.new("^databag://[^/]+/[^/]+/.+$"),
+      Regexp.new("^node://[^/]*/attributes/.+$"),
+    ].freeze
+
+    attr_reader :plugin_conf
+    # attr_reader :mount_point
+    # attr_reader :path_prefix
+    # attr_reader :vault
+    attr_reader :priority
+    attr_reader :input_name
+    attr_reader :logger
+
+    def initialize
+      @plugin_conf = Inspec::Config.cached.fetch_plugin_config("inspec-cloudformation")
+
+      @logger = Inspec::Log
+      logger.debug format("inspec-cloudformation plugin version %s", VERSION)
+
+      # @mount_point = fetch_plugin_setting("mount_point", "secret")
+      # @path_prefix = fetch_plugin_setting("path_prefix", "inspec")
+
+      # We need priority to be numeric; even though env vars or JSON may present it as string - hence the to_i
+      @priority = fetch_plugin_setting("priority", 60).to_i
+
+      # @vault = Vault::Client.new(
+      #   address: fetch_vault_setting("vault_addr"),
+      #   token: fetch_vault_setting("vault_token")
+      # )
+    end
+
+    # What priority should an input value recieve from us?
+    # This plgin does not currently allow setting this on a per-input basis,
+    # so they all recieve the same "default" value.
+    # Implements https://github.com/inspec/inspec/blob/master/dev-docs/plugins.md#default_priority
+    def default_priority
+      priority
+    end
+
+    # returns Array of input names as strings
+    # def list_inputs(profile_name)
+    #   vault.with_retries(Vault::HTTPConnectionError) do
+    #     path = logical_path_for_profile(profile_name)
+    #     doc = vault.logical.read(path)
+    #     return [] unless doc
+
+    #     return doc.data[:data].keys.map(&:to_s)
+    #   end
+    # end
+
+    # Fetch a value of a single input from Vault
+    
+    def fetch(profile_name, input_name)
+      return nil if input_name.include?('_')
+
+
+      cf = Aws::CloudFormation::Client.new
+
+      # input format will be "cloudformation stack name / output name"
+
+      stack_name = input_name.split('/').first
+      output_name = input_name.split('/').last
+
+      logger.info format("The stack name is  %s", stack_name)
+      logger.info format("The output name is  %s", output_name)
+
+      name = { stack_name: stack_name }
+      resp = cf.describe_stacks(name)
+      return nil if resp.stacks.nil? || resp.stacks.empty?
+      stack = resp.stacks.first
+      stack.outputs.each do |output|
+          next unless output['output_key'] == output_name
+          return output['output_value']
+      end
+      
+      # stacks.each do |stack|
+      #     next if input(stack).nil? # If HRA addon was skipped we expect the input to be skipped also
+          
+      # end
+
+
+
+      # @input_name = input_name
+
+      # path = logical_path_for_profile(profile_name)
+      # item = input_name
+
+      # if absolute_path?
+      #   _empty, *path, item = input_name.split("/")
+      #   path = logical_path path.join("/")
+      # end
+
+      # logger.info format("Reading Vault secret from %s", path)
+      # vault.with_retries(Vault::HTTPConnectionError) do
+      #   doc = vault.logical.read(path)
+      #   # Keys from vault are always symbolized
+      #   return doc.data[:data][item.to_sym] if doc
+      # end
+    end
+
+    private
+
+    # # Assumption for profile based lookups: inputs have been stored on documents named
+    # # for their profiles, and each input has a key-value pair in the document.
+    # def logical_path_for_profile(profile_name)
+    #   logical_path(profile_name)
+    # end
+
+    # def logical_path(relative_path)
+    #   # When you actually read a value, on the KV2 backend you must
+    #   # read secret/data/path, not secret/path (as on the CLI)
+    #   # https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version
+    #   # Is this true for all backends?
+    #   "#{mount_point}/data/#{prefix}#{relative_path}"
+    # end
+
+    # def prefix
+    #   return "#{path_prefix}/" unless absolute_path?
+
+    #   ""
+    # end
+
+    # def absolute_path?
+    #   input_name.start_with?("/")
+    # end
+
+    def valid_plugin_input?(input)
+      VALID_PATTERNS.any? { |regex| regex.match? input }
+    end
+
+    def fetch_plugin_setting(setting_name, default = nil)
+      env_var_name = "INSPEC_CLOUDFORMATION_#{setting_name.upcase}"
+      ENV[env_var_name] || plugin_conf[setting_name] || default
+    end
+
+    # def fetch_vault_setting(setting_name)
+    #   ENV[setting_name.upcase] || plugin_conf[setting_name]
+    # end
+  end
+end

data/lib/inspec-cloudformation/plugin.rb

@@ -0,0 +1,25 @@
+# Plugin Definition file
+# The purpose of this file is to declare to InSpec what plugin_types (capabilities)
+# are included in this plugin, and provide hooks that will load them as needed.
+
+# It is important that this file load successfully and *quickly*.
+# Your plugin's functionality may never be used on this InSpec run; so we keep things
+# fast and light by only loading heavy things when they are needed.
+
+# Presumably this is light
+require "inspec-cloudformation/version"
+module InspecPlugins
+  module Vault
+    class Plugin < ::Inspec.plugin(2)
+      # Internal machine name of the plugin. InSpec will use this in errors, etc.
+      plugin_name :'inspec-cloudformation'
+
+      # Define an Input plugin type.
+      input :vault do
+        require_relative "input"
+        InspecPlugins::Vault::Input
+      end
+
+    end
+  end
+end

data/lib/inspec-cloudformation/version.rb

@@ -0,0 +1,8 @@
+# This file simply makes it easier for CI engines to update
+# the version stamp, and provide a clean way for the gemspec
+# to learn the current version.
+module InspecPlugins
+  module Vault
+    VERSION = "0.0.1".freeze
+  end
+end

data/lib/inspec-cloudformation.rb

@@ -0,0 +1,14 @@
+# This file is known as the "entry point."
+# This is the file InSpec will try to load if it
+# thinks your plugin is installed.
+
+# The *only* thing this file should do is setup the
+# load path, then load the plugin definition file.
+
+# Next two lines simply add the path of the gem to the load path.
+# This is not needed when being loaded as a gem; but when doing
+# plugin development, you may need it.  Either way, it's harmless.
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require "inspec-cloudformation/plugin"

metadata

@@ -0,0 +1,50 @@
+--- !ruby/object:Gem::Specification
+name: inspec-cloudformation
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Andy Boutte
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-07-01 00:00:00.000000000 Z
+dependencies: []
+description: This plugin allows InSpec 'inputs' to be provided by CloudFormation Outputs.
+email:
+- andyboutte@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- inspec-cloudformation.gemspec
+- lib/inspec-cloudformation.rb
+- lib/inspec-cloudformation/input.rb
+- lib/inspec-cloudformation/plugin.rb
+- lib/inspec-cloudformation/version.rb
+homepage: https://github.com/aboutte/inspec-cloudformation
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: Use CloudFormation Outputs in your InSpec profiles
+test_files: []