inspec-cloudformation 0.0.1 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +0 -3
- data/inspec-cloudformation.gemspec +1 -1
- data/lib/inspec-cloudformation/input.rb +3 -83
- data/lib/inspec-cloudformation/plugin.rb +3 -3
- data/lib/inspec-cloudformation/version.rb +2 -2
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d4b001d6d0b1267f8fde5b01ea3e5e65ae9d20cf1e23f373f2ca60dbab3b4b9a
|
|
4
|
+
data.tar.gz: 17bf672a61199c52d39f1d738f1feb257b7015dd9f57cfd2ac7faff681d07ed2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 546860726e04ee883b2930c3abe8134591e2d2b76496aacdb4d9ed328f8f872aef1b0471ad6bb718de193b647a3a39d8e03a042ab961685bb51edcf84bc8f814
|
|
7
|
+
data.tar.gz: 1141c69e4fe9266a06b1d517fd6831928d0f638703ad4bc996f1ff7527a93b1e4f33e4c2bb91981cf1b9ef063c3a8b59262a3718a448d46d7e8a8b65db7a982c
|
data/Gemfile
CHANGED
|
@@ -14,7 +14,7 @@ Gem::Specification.new do |spec|
|
|
|
14
14
|
spec.name = "inspec-cloudformation"
|
|
15
15
|
|
|
16
16
|
# It is polite to namespace your plugin under InspecPlugins::YourPluginInCamelCase
|
|
17
|
-
spec.version = InspecPlugins::
|
|
17
|
+
spec.version = InspecPlugins::CloudFormation::VERSION
|
|
18
18
|
spec.authors = ["Andy Boutte"]
|
|
19
19
|
spec.email = ["andyboutte@gmail.com"]
|
|
20
20
|
spec.summary = "Use CloudFormation Outputs in your InSpec profiles"
|
|
@@ -1,17 +1,8 @@
|
|
|
1
1
|
require 'aws-sdk-cloudformation'
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
3
|
# See https://github.com/inspec/inspec/blob/master/docs/dev/plugins.md#implementing-input-plugins
|
|
13
4
|
|
|
14
|
-
module InspecPlugins::
|
|
5
|
+
module InspecPlugins::CloudFormation
|
|
15
6
|
class Input < Inspec.plugin(2, :input)
|
|
16
7
|
|
|
17
8
|
VALID_PATTERNS = [
|
|
@@ -20,9 +11,6 @@ module InspecPlugins::Vault
|
|
|
20
11
|
].freeze
|
|
21
12
|
|
|
22
13
|
attr_reader :plugin_conf
|
|
23
|
-
# attr_reader :mount_point
|
|
24
|
-
# attr_reader :path_prefix
|
|
25
|
-
# attr_reader :vault
|
|
26
14
|
attr_reader :priority
|
|
27
15
|
attr_reader :input_name
|
|
28
16
|
attr_reader :logger
|
|
@@ -39,10 +27,7 @@ module InspecPlugins::Vault
|
|
|
39
27
|
# We need priority to be numeric; even though env vars or JSON may present it as string - hence the to_i
|
|
40
28
|
@priority = fetch_plugin_setting("priority", 60).to_i
|
|
41
29
|
|
|
42
|
-
|
|
43
|
-
# address: fetch_vault_setting("vault_addr"),
|
|
44
|
-
# token: fetch_vault_setting("vault_token")
|
|
45
|
-
# )
|
|
30
|
+
|
|
46
31
|
end
|
|
47
32
|
|
|
48
33
|
# What priority should an input value recieve from us?
|
|
@@ -52,28 +37,14 @@ module InspecPlugins::Vault
|
|
|
52
37
|
def default_priority
|
|
53
38
|
priority
|
|
54
39
|
end
|
|
55
|
-
|
|
56
|
-
# returns Array of input names as strings
|
|
57
|
-
# def list_inputs(profile_name)
|
|
58
|
-
# vault.with_retries(Vault::HTTPConnectionError) do
|
|
59
|
-
# path = logical_path_for_profile(profile_name)
|
|
60
|
-
# doc = vault.logical.read(path)
|
|
61
|
-
# return [] unless doc
|
|
62
|
-
|
|
63
|
-
# return doc.data[:data].keys.map(&:to_s)
|
|
64
|
-
# end
|
|
65
|
-
# end
|
|
66
|
-
|
|
67
|
-
# Fetch a value of a single input from Vault
|
|
68
40
|
|
|
69
41
|
def fetch(profile_name, input_name)
|
|
42
|
+
# skip any input name that is an invalid cloudformation stack name to keep things quick...no need to make the AWS API call.
|
|
70
43
|
return nil if input_name.include?('_')
|
|
71
44
|
|
|
72
|
-
|
|
73
45
|
cf = Aws::CloudFormation::Client.new
|
|
74
46
|
|
|
75
47
|
# input format will be "cloudformation stack name / output name"
|
|
76
|
-
|
|
77
48
|
stack_name = input_name.split('/').first
|
|
78
49
|
output_name = input_name.split('/').last
|
|
79
50
|
|
|
@@ -88,58 +59,10 @@ module InspecPlugins::Vault
|
|
|
88
59
|
next unless output['output_key'] == output_name
|
|
89
60
|
return output['output_value']
|
|
90
61
|
end
|
|
91
|
-
|
|
92
|
-
# stacks.each do |stack|
|
|
93
|
-
# next if input(stack).nil? # If HRA addon was skipped we expect the input to be skipped also
|
|
94
|
-
|
|
95
|
-
# end
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
# @input_name = input_name
|
|
100
|
-
|
|
101
|
-
# path = logical_path_for_profile(profile_name)
|
|
102
|
-
# item = input_name
|
|
103
|
-
|
|
104
|
-
# if absolute_path?
|
|
105
|
-
# _empty, *path, item = input_name.split("/")
|
|
106
|
-
# path = logical_path path.join("/")
|
|
107
|
-
# end
|
|
108
|
-
|
|
109
|
-
# logger.info format("Reading Vault secret from %s", path)
|
|
110
|
-
# vault.with_retries(Vault::HTTPConnectionError) do
|
|
111
|
-
# doc = vault.logical.read(path)
|
|
112
|
-
# # Keys from vault are always symbolized
|
|
113
|
-
# return doc.data[:data][item.to_sym] if doc
|
|
114
|
-
# end
|
|
115
62
|
end
|
|
116
63
|
|
|
117
64
|
private
|
|
118
65
|
|
|
119
|
-
# # Assumption for profile based lookups: inputs have been stored on documents named
|
|
120
|
-
# # for their profiles, and each input has a key-value pair in the document.
|
|
121
|
-
# def logical_path_for_profile(profile_name)
|
|
122
|
-
# logical_path(profile_name)
|
|
123
|
-
# end
|
|
124
|
-
|
|
125
|
-
# def logical_path(relative_path)
|
|
126
|
-
# # When you actually read a value, on the KV2 backend you must
|
|
127
|
-
# # read secret/data/path, not secret/path (as on the CLI)
|
|
128
|
-
# # https://www.vaultproject.io/api/secret/kv/kv-v2.html#read-secret-version
|
|
129
|
-
# # Is this true for all backends?
|
|
130
|
-
# "#{mount_point}/data/#{prefix}#{relative_path}"
|
|
131
|
-
# end
|
|
132
|
-
|
|
133
|
-
# def prefix
|
|
134
|
-
# return "#{path_prefix}/" unless absolute_path?
|
|
135
|
-
|
|
136
|
-
# ""
|
|
137
|
-
# end
|
|
138
|
-
|
|
139
|
-
# def absolute_path?
|
|
140
|
-
# input_name.start_with?("/")
|
|
141
|
-
# end
|
|
142
|
-
|
|
143
66
|
def valid_plugin_input?(input)
|
|
144
67
|
VALID_PATTERNS.any? { |regex| regex.match? input }
|
|
145
68
|
end
|
|
@@ -149,8 +72,5 @@ module InspecPlugins::Vault
|
|
|
149
72
|
ENV[env_var_name] || plugin_conf[setting_name] || default
|
|
150
73
|
end
|
|
151
74
|
|
|
152
|
-
# def fetch_vault_setting(setting_name)
|
|
153
|
-
# ENV[setting_name.upcase] || plugin_conf[setting_name]
|
|
154
|
-
# end
|
|
155
75
|
end
|
|
156
76
|
end
|
|
@@ -9,15 +9,15 @@
|
|
|
9
9
|
# Presumably this is light
|
|
10
10
|
require "inspec-cloudformation/version"
|
|
11
11
|
module InspecPlugins
|
|
12
|
-
module
|
|
12
|
+
module CloudFormation
|
|
13
13
|
class Plugin < ::Inspec.plugin(2)
|
|
14
14
|
# Internal machine name of the plugin. InSpec will use this in errors, etc.
|
|
15
15
|
plugin_name :'inspec-cloudformation'
|
|
16
16
|
|
|
17
17
|
# Define an Input plugin type.
|
|
18
|
-
input :
|
|
18
|
+
input :cloudformation do
|
|
19
19
|
require_relative "input"
|
|
20
|
-
InspecPlugins::
|
|
20
|
+
InspecPlugins::CloudFormation::Input
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
end
|