inspec-iggy 0.2.0 → 0.4.0

data/lib/inspec-iggy/inspec_helper.rb

@@ -4,56 +4,78 @@
 # Copyright:: 2018, Chef Software, Inc <legal@chef.io>
 #
 
-require "inspec"
+require 'inspec'
 
-module Iggy
-  class InspecHelper
+module InspecPlugins
+  module Iggy
+    class InspecHelper
+      # constants for the InSpec resources
+      RESOURCES = Inspec::Resource.registry.keys
 
-    # constants for the InSpec resources
-    RESOURCES = Inspec::Resource.registry.keys
+      # translate Terraform resource name to InSpec
+      TRANSLATED_RESOURCES = {
+        'aws_instance' => 'aws_ec2_instance',
+        # 'aws_route' => 'aws_route_table' # needs route_table_id instead of id
+      }.freeze
 
-    # translate Terraform resource name to InSpec
-    TERRAFORM_RESOURCES = {
-      "aws_instance" => "aws_ec2_instance",
-      # 'aws_route' => 'aws_route_table' # needs route_table_id instead of id
-    }
+      # # there really should be some way to get this directly from InSpec's resources
+      def self.resource_properties(resource)
+        # remove the common methods, in theory only leaving only unique InSpec properties
+        inspec_properties = Inspec::Resource.registry[resource].instance_methods - COMMON_PROPERTIES
+        # get InSpec properties by method names
+        inspec_properties.collect!(&:to_s)
+        Inspec::Log.debug "InspecHelper.resource_properties #{resource} properties = #{inspec_properties}"
 
-    # # there really should be some way to get this directly from InSpec's resources
-    def self.resource_properties(resource)
-      # remove the common methods, in theory only leaving only unique InSpec properties
-      inspec_properties = Inspec::Resource.registry[resource].instance_methods - COMMON_PROPERTIES
-      # get InSpec properties by method names
-      inspec_properties.collect! { |x| x.to_s }
-      Inspec::Log.debug "Iggy::InspecHelper.resource_properties #{resource} properties = #{inspec_properties}"
-
-      inspec_properties
-    end
+        inspec_properties
+      end
 
-    def self.print_commands(extracted_profiles)
-      extracted_profiles.keys.each do |cmd|
-        type = extracted_profiles[cmd]["type"]
-        url = extracted_profiles[cmd]["url"]
-        key_name = extracted_profiles[cmd]["key_name"]
-        if type == "aws_instance"
-          ip = extracted_profiles[cmd]["public_ip"]
-          puts "inspec exec #{url} -t ssh://#{ip} -i #{key_name}"
-        else
-          puts "inspec exec #{url} -t aws://us-west-2"
+      def self.print_commands(extracted_profiles)
+        extracted_profiles.keys.each do |cmd|
+          type = extracted_profiles[cmd]['type']
+          url = extracted_profiles[cmd]['url']
+          key_name = extracted_profiles[cmd]['key_name']
+          if type == 'aws_instance'
+            ip = extracted_profiles[cmd]['public_ip']
+            puts "inspec exec #{url} -t ssh://#{ip} -i #{key_name}"
+          else
+            puts "inspec exec #{url} -t aws://us-west-2"
+          end
         end
       end
-    end
 
-    def self.print_controls(file, generated_controls)
-      puts "# encoding: utf-8\n#"
+      def self.tf_controls(title, generated_controls)
+        content = "# encoding: utf-8\n#\n\n"
 
-      puts "\ntitle '#{File.absolute_path(file)} controls generated by Iggy v#{Iggy::VERSION}'"
+        content += "title \"#{title}: generated by Iggy v#{Iggy::VERSION}\"\n"
 
-      # write all controls
-      puts generated_controls.flatten.map(&:to_ruby).join("\n\n")
-    end
+        # write all controls
+        content + generated_controls.flatten.map(&:to_ruby).join("\n\n")
+      end
 
-    # a hack for sure, finds common methods as proxy for InSpec properties
-    COMMON_PROPERTIES = Inspec::Resource.registry["aws_subnet"].instance_methods &
-      Inspec::Resource.registry["directory"].instance_methods
+      def self.cfn_controls(title, generated_controls, stack)
+        content = "# encoding: utf-8\n#\n\n"
+
+        content += "begin\n"
+        content += "  awsclient = Aws::CloudFormation::Client.new()\n"
+        content += "  cfn = awsclient.list_stack_resources({ stack_name: \"#{stack}\" }).to_hash\n"
+        content += "  resources = {}\n"
+        content += "  cfn[:stack_resource_summaries].each { |r| resources[r[:logical_resource_id]] = r[:physical_resource_id] }\n"
+        content += "rescue Exception => e\n"
+        content += "  raise(e) unless @conf['profile'].check_mode\n"
+        content += "end\n\n"
+
+        content += "title \"#{title}: generated by Iggy v#{Iggy::VERSION}\"\n"
+
+        # get the controls, insert lookups for physical_resource_ids
+        controls = generated_controls.flatten.map(&:to_ruby).join("\n\n")
+        controls.gsub!(/\"resources\[/, 'resources["')
+        controls.gsub!(/\]\"/, '"]')
+        content + controls
+      end
+
+      # a hack for sure, finds common methods as proxy for InSpec properties
+      COMMON_PROPERTIES = Inspec::Resource.registry['aws_subnet'].instance_methods &
+                          Inspec::Resource.registry['directory'].instance_methods
+    end
   end
 end

data/lib/inspec-iggy/plugin.rb

@@ -0,0 +1,43 @@
+# encoding: UTF-8
+
+# Plugin Definition file
+# The purpose of this file is to declare to InSpec what plugin_types (capabilities)
+# are included in this plugin, and provide hooks that will load them as needed.
+
+# It is important that this file load successfully and *quickly*.
+# Your plugin's functionality may never be used on this InSpec run; so we keep things
+# fast and light by only loading heavy things when they are needed.
+
+require 'inspec/plugin/v2'
+
+# The InspecPlugins namespace is where all plugins should declare themselves.
+# The 'Inspec' capitalization is used throughout the InSpec source code; yes, it's
+# strange.
+module InspecPlugins
+  # Pick a reasonable namespace here for your plugin.  A reasonable choice
+  # would be the CamelCase version of your plugin gem name.
+  module Iggy
+    class Plugin < ::Inspec.plugin(2)
+      # Internal machine name of the plugin. InSpec will use this in errors, etc.
+      plugin_name :'inspec-iggy'
+
+      cli_command :terraform do
+        # Calling this hook doesn't mean iggy is being executed - just
+        # that we should be ready to do so. So, load the file that defines the
+        # functionality.
+        # For example, InSpec will activate this hook when `inspec help` is
+        # executed, so that this plugin's usage message will be included in the help.
+        require 'inspec-iggy/terraform/cli_command'
+
+        # Having loaded our functionality, return a class that will let the
+        # CLI engine tap into it.
+        InspecPlugins::Iggy::Terraform::CliCommand
+      end
+
+      cli_command :cloudformation do
+        require 'inspec-iggy/cloudformation/cli_command'
+        InspecPlugins::Iggy::CloudFormation::CliCommand
+      end
+    end
+  end
+end

data/lib/inspec-iggy/profile.rb

@@ -0,0 +1,74 @@
+# -*- coding: utf-8 -*-
+#
+# Author:: Matt Ray (<matt@chef.io>)
+#
+# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
+#
+
+require 'yaml'
+
+module InspecPlugins
+  module Iggy
+    class Profile
+      # match the output of 'inspec init profile'
+      def self.render_profile(cli_ui, options, source_file, controls)
+        name = options[:name]
+        overwrite_mode = options[:overwrite]
+        # Create new profile at /Users/mattray/ws/inspec-iggy/foobar
+        full_destination_root_path = Pathname.new(Dir.pwd).join(name)
+        cli_ui.plain_text "Create new profile at #{cli_ui.mark_text(full_destination_root_path)}"
+        if File.exist?(full_destination_root_path) && !overwrite_mode
+          cli_ui.plain_text "#{cli_ui.mark_text(full_destination_root_path)} exists already, use --overwrite"
+          cli_ui.exit(1)
+        end
+        # ensure that full_destination_root_path directory is available
+        FileUtils.mkdir_p(full_destination_root_path)
+        #  * Create directory controls
+        cli_ui.li "Create directory #{cli_ui.mark_text("#{name}/controls")}"
+        FileUtils.mkdir_p("#{name}/controls")
+        render_readme_md(cli_ui, name, source_file)
+        render_inspec_yml(cli_ui, name, source_file, options)
+        render_controls_rb(cli_ui, name, controls)
+      end
+
+      #  * Create file README.md
+      def self.render_readme_md(cli_ui, name, source_file)
+        render_file = "#{name}/README.md"
+        cli_ui.li "Create file #{cli_ui.mark_text(render_file)}"
+        f = File.new(render_file, 'w')
+        f.puts("# #{name}")
+        f.puts
+        f.puts("This profile was generated by InSpec-Iggy v#{Iggy::VERSION} from the #{source_file} source file.")
+        f.close
+      end
+
+      #  * Create file inspec.yml
+      def self.render_inspec_yml(cli_ui, name, source_file, options)
+        render_file = "#{name}/inspec.yml"
+        cli_ui.li "Create file #{cli_ui.mark_text(render_file)}"
+        yml = {}
+        yml['name'] = name
+        yml['title'] = options[:title]
+        yml['maintainer'] = options[:maintainer]
+        yml['copyright'] = options[:copyright]
+        yml['copyright_email'] = options[:email]
+        yml['license'] = options[:license]
+        yml['summary'] = options[:summary]
+        yml['version'] = options[:version]
+        yml['description'] = "Generated by InSpec-Iggy v#{Iggy::VERSION} from the #{source_file} source file."
+        f = File.new(render_file, 'w')
+        f.write(yml.to_yaml)
+        f.close
+      end
+
+      #  * Create file controls/example.rb
+      def self.render_controls_rb(cli_ui, name, controls)
+        render_file = "#{name}/controls/controls.rb"
+        cli_ui.li "Create file #{cli_ui.mark_text(render_file)}"
+        f = File.new(render_file, 'w')
+        f.write(controls)
+        f.close
+      end
+    end
+  end
+end

data/lib/inspec-iggy/terraform/cli_command.rb

@@ -0,0 +1,94 @@
+# encoding: utf-8
+#
+# Author:: Matt Ray (<matt@chef.io>)
+#
+# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
+#
+
+require 'inspec/plugin/v2'
+
+require 'inspec-iggy/version'
+require 'inspec-iggy/profile'
+require 'inspec-iggy/terraform/parser'
+
+module InspecPlugins::Iggy
+  module Terraform
+    class CliCommand < Inspec.plugin(2, :cli_command)
+      subcommand_desc 'terraform SUBCOMMAND ...', 'Extract or generate InSpec from Terraform'
+
+      # Thor.map(Hash) allows you to make aliases for commands.
+      map('-v' => 'version')         # Treat `inspec terraform -v`` as `inspec terraform version`
+      map('--version' => 'version')  # Treat `inspec terraform -version`` as `inspec terraform version`
+
+      desc 'version', 'Display version information', hide: true
+      def version
+        say("Iggy v#{InspecPlugins::Iggy::VERSION}")
+      end
+
+      option :debug,
+             desc: 'Verbose debugging messages',
+             type: :boolean,
+             default: false
+
+      option :copyright,
+             desc: 'Name of the copyright holder',
+             default: 'The Authors'
+
+      option :email,
+             desc: 'Email address of the author',
+             default: 'you@example.com'
+
+      option :license,
+             desc: 'License for the profile',
+             default: 'Apache-2.0'
+
+      option :maintainer,
+             desc: 'Name of the copyright holder',
+             default: 'The Authors'
+
+      option :summary,
+             desc: 'One line summary for the profile',
+             default: 'An InSpec Compliance Profile'
+
+      option :title,
+             desc: 'Human-readable name for the profile',
+             default: 'InSpec Profile'
+
+      option :version,
+             desc: 'Specify the profile version',
+             default: '0.1.0'
+
+      option :overwrite,
+             desc: 'Overwrites existing profile directory',
+             type: :boolean,
+             default: false
+
+      option :name,
+             aliases: '-n',
+             required: true,
+             desc: 'Name of profile to be generated'
+
+      option :tfstate,
+             aliases: '-t',
+             desc: 'Specify path to the input terraform.tfstate',
+             default: 'terraform.tfstate'
+
+      desc 'generate [options]', 'Generate InSpec compliance controls from terraform.tfstate'
+      def generate
+        Inspec::Log.level = :debug if options[:debug]
+        generated_controls = InspecPlugins::Iggy::Terraform::Parser.parse_generate(options[:tfstate])
+        printable_controls = InspecPlugins::Iggy::InspecHelper.tf_controls(options[:title], generated_controls)
+        InspecPlugins::Iggy::Profile.render_profile(self, options, options[:tfstate], printable_controls)
+        exit 0
+      end
+
+      desc 'extract [options]', 'Extract tagged InSpec profiles from terraform.tfstate'
+      def extract
+        Inspec::Log.level = :debug if options[:debug]
+        extracted_profiles = InspecPlugins::Iggy::Terraform::Parser.parse_extract(options[:tfstate])
+        puts InspecPlugins::Iggy::InspecHelper.print_commands(extracted_profiles)
+        exit 0
+      end
+    end
+  end
+end

data/lib/inspec-iggy/terraform/parser.rb

@@ -0,0 +1,147 @@
+#
+# Author:: Matt Ray (<matt@chef.io>)
+#
+# Copyright:: 2018, Chef Software, Inc <legal@chef.io>
+#
+
+require 'json'
+
+require 'inspec/objects/control'
+require 'inspec/objects/ruby_helper'
+require 'inspec/objects/describe'
+
+require 'inspec-iggy/inspec_helper'
+
+module InspecPlugins::Iggy::Terraform
+  class Parser
+    # makes it easier to change out later
+    TAG_NAME = 'iggy_name_'.freeze
+    TAG_URL = 'iggy_url_'.freeze
+
+    # boilerplate tfstate parsing
+    def self.parse_tfstate(file)
+      Inspec::Log.debug "Iggy::Terraform.parse_tfstate file = #{file}"
+      begin
+        unless File.file?(file)
+          STDERR.puts "ERROR: #{file} is an invalid file, please check your path."
+          exit(-1)
+        end
+        JSON.parse(File.read(file))
+      rescue JSON::ParserError => e
+        STDERR.puts e.message
+        STDERR.puts "ERROR: Parsing error in #{file}."
+        exit(-1)
+      end
+    end
+
+    # parse through the JSON for the tagged Resources
+    def self.parse_extract(file) # rubocop:disable Metrics/AbcSize
+      tfstate = parse_tfstate(file)
+      # InSpec profiles extracted
+      extracted_profiles = {}
+
+      # iterate over the resources
+      tf_resources = tfstate['modules'][0]['resources']
+      tf_resources.keys.each do |tf_res|
+        tf_res_id = tf_resources[tf_res]['primary']['id']
+
+        # get the attributes, see if any of them have a tagged profile attached
+        tf_resources[tf_res]['primary']['attributes'].keys.each do |attr|
+          next unless attr.start_with?('tags.' + TAG_NAME)
+          Inspec::Log.debug "Iggy::Terraform.parse_extract tf_res = #{tf_res} attr = #{attr} MATCHED TAG"
+          # get the URL and the name of the profiles
+          name = attr.split(TAG_NAME)[1]
+          url = tf_resources[tf_res]['primary']['attributes']["tags.#{TAG_URL}#{name}"]
+          if tf_res.start_with?('aws_vpc') # should this be VPC or subnet?
+            # if it's a VPC, store it as the VPC id + name
+            key = tf_res_id + ':' + name
+            Inspec::Log.debug "Iggy::Terraform.parse_extract aws_vpc tagged with InSpec #{key}"
+            extracted_profiles[key] = {
+              'type' => 'aws_vpc',
+              'az' => 'us-west-2',
+              'url' => url,
+            }
+          elsif tf_res.start_with?('aws_instance')
+            # if it's a node, get information about the IP and SSH/WinRM
+            key = tf_res_id + ':' + name
+            Inspec::Log.debug "Iggy::Terraform.parse_extract aws_instance tagged with InSpec #{key}"
+            extracted_profiles[key] = {
+              'type' => 'aws_instance',
+              'public_ip' => tf_resources[tf_res]['primary']['attributes']['public_ip'],
+              'key_name' => tf_resources[tf_res]['primary']['attributes']['key_name'],
+              'url' => url,
+            }
+          else
+            # should generic AWS just be the default except for instances?
+            STDERR.puts "ERROR: #{file} #{tf_res_id} has an InSpec-tagged resource but #{tf_res} is currently unsupported."
+            exit(-1)
+          end
+        end
+      end
+      Inspec::Log.debug "Iggy::Terraform.parse_extract extracted_profiles = #{extracted_profiles}"
+      extracted_profiles
+    end
+
+    # parse through the JSON and generate InSpec controls
+    def self.parse_generate(file) # rubocop:disable all
+      tfstate = parse_tfstate(file)
+      absolutename = File.absolute_path(file)
+
+      # InSpec controls generated
+      generated_controls = []
+
+      # iterate over the resources
+      tfstate['modules'].each do |m|
+        tf_resources = m['resources']
+        tf_resources.keys.each do |tf_res|
+          tf_res_type = tf_resources[tf_res]['type']
+
+          # add translation layer
+          if InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES.key?(tf_res_type)
+            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} #{InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[tf_res_type]} TRANSLATED"
+            tf_res_type = InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[tf_res_type]
+          end
+
+          # does this match an InSpec resource?
+          if InspecPlugins::Iggy::InspecHelper::RESOURCES.include?(tf_res_type)
+            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} MATCH"
+            tf_res_id = tf_resources[tf_res]['primary']['id']
+
+            # insert new control based off the resource's ID
+            ctrl = Inspec::Control.new
+            ctrl.id = "#{tf_res_type}::#{tf_res_id}"
+            ctrl.title = "InSpec-Iggy #{tf_res_type}::#{tf_res_id}"
+            ctrl.descriptions[:default] = "#{tf_res_type}::#{tf_res_id} from the source file #{absolutename}\nGenerated by InSpec-Iggy v#{InspecPlugins::Iggy::VERSION}"
+            ctrl.impact = '1.0'
+
+            describe = Inspec::Describe.new
+            # describes the resourde with the id as argument
+            describe.qualifier.push([tf_res_type, tf_res_id])
+
+            # ensure the resource exists
+            describe.add_test(nil, 'exist', nil)
+
+            # if there's a match, see if there are matching InSpec properties
+            inspec_properties = InspecPlugins::Iggy::InspecHelper.resource_properties(tf_res_type)
+            tf_resources[tf_res]['primary']['attributes'].keys.each do |attr|
+              if inspec_properties.member?(attr)
+                Inspec::Log.debug "Iggy::Terraform.parse_generate #{tf_res_type} inspec_property = #{attr} MATCH"
+                value = tf_resources[tf_res]['primary']['attributes'][attr]
+                describe.add_test(attr, 'eq', value)
+              else
+                Inspec::Log.debug "Iggy::Terraform.parse_generate #{tf_res_type} inspec_property = #{attr} SKIP"
+              end
+            end
+
+            ctrl.add_test(describe)
+            generated_controls.push(ctrl)
+          else
+            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} SKIP"
+          end
+        end
+      end
+      Inspec::Log.debug "Iggy::Terraform.parse_generate generated_controls = #{generated_controls}"
+      generated_controls
+    end
+  end
+end