RubyGems - inspec-iggy - Versions diffs - 0.5.0 → 0.6.0 - Mend

inspec-iggy 0.5.0 → 0.6.0

Files changed (17) hide show

checksums.yaml +4 -4
data/Gemfile +19 -0
data/README.md +34 -3
data/inspec-iggy.gemspec +2 -2
data/lib/inspec-iggy/cloudformation/cli_command.rb +3 -3
data/lib/inspec-iggy/cloudformation/{parser.rb → generate.rb} +9 -9
data/lib/inspec-iggy/inspec_helper.rb +443 -27
data/lib/inspec-iggy/platforms/aws_helper.rb +42 -0
data/lib/inspec-iggy/platforms/azure_helper.rb +38 -0
data/lib/inspec-iggy/platforms/gcp_helper.rb +168 -0
data/lib/inspec-iggy/profile_helper.rb +50 -29
data/lib/inspec-iggy/terraform/cli_command.rb +74 -49
data/lib/inspec-iggy/terraform/generate.rb +130 -0
data/lib/inspec-iggy/terraform/negative.rb +112 -0
data/lib/inspec-iggy/version.rb +1 -1
metadata +12 -8
data/lib/inspec-iggy/terraform/parser.rb +0 -148

data/lib/inspec-iggy/platforms/aws_helper.rb ADDED

@@ -0,0 +1,42 @@
+# helpers for working with InSpec-AWS profiles
+require 'yaml'
+module InspecPlugins::Iggy::Platforms
+  class AwsHelper
+    # find the additional parameters
+    AWS_RESOURCE_QUALIFIERS = {
+    }.freeze
+    # the iterators for the various resource types
+    AWS_RESOURCE_ITERATORS = {
+    }.freeze
+    AWS_REMOVED_PROPERTIES = {
+    }.freeze
+    # Terraform boilerplate controls/controls.rb content
+    def self.tf_controls
+      "\n\naws_vpc_id = attribute('aws_vpc_id', default: '', description: 'Optional AWS VPC identifier.')\n\n"
+    end
+    # readme content
+    def self.readme
+    end
+    # inspec.yml boilerplate content from
+    # inspec/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml
+    def self.inspec_yml
+      yml = {}
+      yml['inspec_version'] = '~> 4'
+      yml['depends'] = [{
+        'name' => 'inspec-aws',
+        'url' => 'https://github.com/inspec/inspec-aws/archive/master.tar.gz'
+      }]
+      yml['supports'] = [{
+        'platform' => 'aws'
+      }]
+      yml
+    end
+  end
+end

data/lib/inspec-iggy/platforms/azure_helper.rb ADDED

@@ -0,0 +1,38 @@
+# helpers for working with InSpec-Azure profiles
+require 'yaml'
+module InspecPlugins::Iggy::Platforms
+  class AzureHelper
+    # find the additional parameters
+    AZURE_RESOURCE_QUALIFIERS = {
+    }.freeze
+    # the iterators for the various resource types
+    AZURE_RESOURCE_ITERATORS = {
+    }.freeze
+    AZURE_REMOVED_PROPERTIES = {
+    }.freeze
+    # readme content
+    def self.readme
+      "\n"
+    end
+    # inspec.yml boilerplate content from
+    # inspec/lib/plugins/inspec-init/templates/profiles/azure/inspec.yml
+    def self.inspec_yml
+      yml = {}
+      yml['inspec_version'] = '>= 2.2.7'
+      yml['depends'] = [{
+        'name' => 'inspec-azure',
+        'url' => 'https://github.com/inspec/inspec-azure/archive/master.tar.gz'
+      }]
+      yml['supports'] = [{
+        'platform' => 'azure'
+      }]
+      yml
+    end
+  end
+end

data/lib/inspec-iggy/platforms/gcp_helper.rb ADDED

@@ -0,0 +1,168 @@
+# helpers for working with InSpec-GCP profiles
+require 'yaml'
+module InspecPlugins::Iggy::Platforms
+  class GcpHelper
+    # find the additional parameters for the 'describe'
+    GCP_RESOURCE_QUALIFIERS = {
+      'google_bigquery_dataset' => [:project, :name],
+      'google_bigquery_table' => [:project, :dataset, :name],
+      'google_cloudfunctions_cloud_function' => [:project, :location, :name],
+      'google_compute_address' => [:project, :location, :name],
+      'google_compute_autoscaler' => [:project, :zone, :name],
+      'google_compute_backend_bucket' => [:project, :name],
+      'google_compute_backend_service' => [:project, :name],
+      'google_compute_disk' => [:project, :name, :zone],
+      'google_compute_firewall' => [:project, :name],
+      'google_compute_forwarding_rule' => [:project, :region, :name],
+      'google_compute_global_address' => [:project, :name],
+      'google_compute_global_forwarding_rule' => [:project, :name],
+      'google_compute_health_check' => [:project, :name],
+      'google_compute_http_health_check' => [:project, :name],
+      'google_compute_https_health_check' => [:project, :name],
+      'google_compute_image' => [:project, :name],
+      'google_compute_instance' => [:project, :zone, :name],
+      'google_compute_instance_group' => [:project, :zone, :name],
+      'google_compute_instance_group_manager' => [:project, :zone, :name],
+      'google_compute_instance_template' => [:project, :name],
+      'google_compute_network' => [:project, :name],
+      'google_compute_project_info' => [:project],
+      'google_compute_region' => [:project, :name],
+      'google_compute_region_backend_service' => [:project, :region, :name],
+      'google_compute_region_instance_group_manager' => [:project, :region, :name],
+      'google_compute_route' => [:project, :name],
+      'google_compute_router' => [:project, :region, :name],
+      'google_compute_snapshot' => [:project, :name],
+      'google_compute_ssl_certificate' => [:project, :name],
+      'google_compute_ssl_policy' => [:project, :name],
+      'google_compute_subnetwork' => [:project, :region, :name],
+      'google_compute_subnetwork_iam_policy' => [:project, :region, :name],
+      'google_compute_target_http_proxy' => [:project, :name],
+      'google_compute_target_https_proxy' => [:project, :name],
+      'google_compute_target_pool' => [:project, :region, :name],
+      'google_compute_target_tcp_proxy' => [:project, :name],
+      'google_compute_url_map' => [:project, :name],
+      'google_compute_vpn_tunnel' => [:project, :region, :name],
+      'google_compute_zone' => [:project, :zone],
+      'google_container_cluster' => [:project, :zone, :name],
+      'google_container_node_pool' => [:project, :zone, :cluster_name, :nodepool_name],
+      'google_container_regional_cluster' => [:project, :location, :name],
+      'google_container_regional_node_pool' => [:project, :location, :cluster, :name],
+      'google_dns_managed_zone' => [:project, :zone],
+      'google_dns_resource_record_set' => [:project, :name, :type, :managed_zone],
+      'google_kms_crypto_key' => [:project, :location, :key_ring_name, :name],
+      'google_kms_crypto_key_iam_binding' => [:crypto_key_url, :role],
+      'google_kms_key_ring' => [:project, :location, :name],
+      'google_kms_key_ring_iam_binding' => [:key_ring_url, :role],
+      'google_logging_project_exclusion' => [:project, :exclusion],
+      'google_logging_project_sink' => [:project, :sink],
+      'google_organization' => [:display_name],
+      'google_organization_policy' => [:name, :constraints],
+      'google_project' => [:project],
+      'google_project_alert_policy' => [:policy],
+      'google_project_alert_policy_condition' => [:name, :filter],
+      'google_project_iam_binding' => [:project, :role],
+      'google_project_iam_custom_role' => [:project, :name],
+      'google_project_logging_audit_config' => [:project],
+      'google_project_metric' => [:project, :metric],
+      'google_pubsub_subscription' => [:project, :name],
+      'google_pubsub_subscription_iam_policy' => [:project, :name],
+      'google_pubsub_topic' => [:project, :name],
+      'google_pubsub_topic_iam_policy' => [:project, :name],
+      'google_resourcemanager_organization_policy' => [:organization_name, :constraint],
+      'google_service_account' => [:name],
+      'google_service_account_key' => [:name],
+      'google_sourcerepo_repository' => [:project, :name],
+      'google_sql_database_instance' => [:project, :database],
+      'google_storage_bucket' => [:name],
+      'google_storage_bucket_acl' => [:bucket, :entity],
+      'google_storage_bucket_iam_binding' => [:bucket, :role],
+      'google_storage_bucket_object' => [:bucket, :object],
+      'google_storage_default_object_acl' => [:bucket, :entity],
+      'google_storage_object_acl' => [:bucket, :object, :entity],
+      'google_user' => [:user_key]
+    }.freeze
+    # the iterators for the various resource types
+    GCP_RESOURCE_ITERATORS = {
+      # 'google_compute_disk' => { 'iterator' => 'google_compute_disks', 'index' => 'names', 'qualifiers' => [:project, :zone] }, # false positives because instance attached disks aren't managed by Terraform
+      # 'google_compute_network' => { 'iterator' => 'google_compute_networks', 'index' => 'network_names', 'qualifiers' => [:project] },
+      # 'google_compute_region' => { 'iterator' => 'google_compute_regions', 'index' => 'region_names', 'qualifiers' => [:project] },
+      # 'google_compute_region_instance_group_manager' => { 'iterator' => 'google_compute_region_instance_group_managers', 'index' => 'instance_group_names', 'qualifiers' => [:project, :region] }, verify it has 2 filter criteria
+      # 'google_compute_route' => { 'iterator' => 'google_compute_routes', 'index' => 'names', 'qualifiers' => [:project] },
+      # 'google_compute_subnetwork' => { 'iterator' => 'google_compute_subnetworks', 'index' => 'subnetwork_names', 'qualifiers' => [:project, :region] },
+      # 'google_compute_zone' => { 'iterator' => 'google_compute_zones', 'index' => 'zone_names', 'qualifiers' => [:project] },
+      # 'google_kms_crypto_key_iam_binding' => { 'iterator' => 'google_kms_crypto_key_iam_bindings', 'index' => 'iam_binding_roles', 'qualifiers' => [:crypto_key_url] },
+      # 'google_kms_key_ring' => { 'iterator' => 'google_kms_key_rings', 'index' => 'key_ring_names', 'qualifiers' => [:project, :location] },
+      # 'google_kms_key_ring_iam_binding' => { 'iterator' => 'google_kms_key_ring_iam_bindings', 'index' => 'iam_binding_roles', 'qualifiers' => [:key_ring_url] },
+      # 'google_organization' => { 'iterator' => 'google_organizations', 'index' => 'names', 'qualifiers' => [] }, # organizations are not managed by Terraform
+      # 'google_project' => { 'iterator' => 'google_projects', 'index' => 'project_names', 'qualifiers' => [] }, # projects are not managed by Terraform
+      # 'google_project_iam_binding' => { 'iterator' => 'google_project_iam_bindings', 'index' => 'iam_binding_roles', 'qualifiers' => [:project] },
+      'google_bigquery_dataset' => { 'iterator' => 'google_bigquery_datasets', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_bigquery_table' => { 'iterator' => 'google_bigquery_tables', 'index' => 'table_references', 'qualifiers' => [:project, :dataset] },
+      'google_cloudbuild_trigger' => { 'iterator' => 'google_cloudbuild_triggers', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_cloudfunctions_cloud_function' => { 'iterator' => 'google_cloudfunctions_cloud_functions', 'index' => 'names', 'qualifiers' => [:project, :location] },
+      'google_compute_autoscaler' => { 'iterator' => 'google_compute_autoscalers', 'index' => 'names', 'qualifiers' => [:project, :zone] },
+      'google_compute_backend_bucket' => { 'iterator' => 'google_compute_backend_buckets', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_backend_service' => { 'iterator' => 'google_compute_backend_services', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_firewall' => { 'iterator' => 'google_compute_firewalls', 'index' => 'firewall_names', 'qualifiers' => [:project] },
+      'google_compute_forwarding_rule' => { 'iterator' => 'google_compute_forwarding_rules', 'index' => 'forwarding_rule_names', 'qualifiers' => [:project, :region] },
+      'google_compute_health_check' => { 'iterator' => 'google_compute_health_checks', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_http_health_check' => { 'iterator' => 'google_compute_http_health_checks', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_https_health_check' => { 'iterator' => 'google_compute_https_health_checks', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_instance' => { 'iterator' => 'google_compute_instances', 'index' => 'instance_names', 'qualifiers' => [:project, :zone] },
+      'google_compute_instance_group' => { 'iterator' => 'google_compute_instance_groups', 'index' => 'instance_group_names', 'qualifiers' => [:project, :zone] },
+      'google_compute_instance_group_manager' => { 'iterator' => 'google_compute_instance_group_managers', 'index' => 'base_instance_names', 'qualifiers' => [:project, :zone] },
+      'google_compute_instance_template' => { 'iterator' => 'google_compute_instance_templates', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_router' => { 'iterator' => 'google_compute_routers', 'index' => 'names', 'qualifiers' => [:project, :region] },
+      'google_compute_snapshot' => { 'iterator' => 'google_compute_snapshots', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_ssl_certificate' => { 'iterator' => 'google_compute_ssl_certificates', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_ssl_policy' => { 'iterator' => 'google_compute_ssl_policies', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_target_http_proxy' => { 'iterator' => 'google_compute_target_http_proxies', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_target_https_proxy' => { 'iterator' => 'google_compute_target_https_proxies', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_target_pool' => { 'iterator' => 'google_compute_target_pools', 'index' => 'names', 'qualifiers' => [:project, :region] },
+      'google_compute_target_tcp_proxy' => { 'iterator' => 'google_compute_target_tcp_proxies', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_url_map' => { 'iterator' => 'google_compute_url_maps', 'index' => 'names', 'qualifiers' => [:project] },
+      'google_compute_vpn_tunnel' => { 'iterator' => 'google_compute_vpn_tunnels', 'index' => 'vpn_tunnel_names', 'qualifiers' => [:project, :region] },
+      'google_container_cluster' => { 'iterator' => 'google_container_clusters', 'index' => 'cluster_names', 'qualifiers' => [:project, :zone] },
+      'google_container_node_pool' => { 'iterator' => 'google_container_node_pools', 'index' => 'node_pool_names', 'qualifiers' => [:project, :zone, :cluster_name] },
+      'google_container_regional_cluster' => { 'iterator' => 'google_container_regional_clusters', 'index' => 'names', 'qualifiers' => [:project, :location] },
+      'google_dns_managed_zone' => { 'iterator' => 'google_dns_managed_zones', 'index' => 'zone_names', 'qualifiers' => [:project] },
+      'google_dns_resource_record_set' => { 'iterator' => 'google_dns_resource_record_sets', 'index' => 'names', 'qualifiers' => [:project, :managed_zone] },
+      'google_kms_crypto_key' => { 'iterator' => 'google_kms_crypto_keys', 'index' => 'crypto_key_names', 'qualifiers' => [:project, :location, :key_ring_name] },
+      'google_logging_project_sink' => { 'iterator' => 'google_logging_project_sinks', 'index' => 'sink_names', 'qualifiers' => [:project] },
+      'google_project_alert_policy' => { 'iterator' => 'google_project_alert_policies', 'index' => 'policy_names', 'qualifiers' => [:project] },
+      'google_project_metric' => { 'iterator' => 'google_project_metrics', 'index' => 'metric_names', 'qualifiers' => [:project] },
+      'google_pubsub_subscription' => { 'iterator' => 'google_pubsub_subscriptions', 'index' => 'names', 'qualifiers' => [:project] },
+    }.freeze
+    GCP_REMOVED_PROPERTIES = {
+      'google_compute_http_health_check' => [:self_link, :id, :creation_timestamp], # id: terraform has name not id, self_link: undocumented but broken, creation_timestamp api incompatibility
+      'google_compute_instance' => [:label_fingerprint, :machine_type, :min_cpu_platform, :zone], # label_fingerprint, machine_type, zone api incompatibility | min_cpu_platform undefined
+      'google_compute_instance_group' => [:zone], # zone api incompatibility issue
+      'google_compute_forwarding_rule' => [:backend_service, :ip_version, :network, :region, :subnetwork], # :backend_service, :ip_version, :network, :region, :subnetwork api incompatibility
+      'google_compute_target_pool' => [:backup_pool, :failover_ratio, :id, :region, :self_link], # api incompatibility
+    }.freeze
+    # readme content
+    def self.readme
+    end
+    # inspec.yml boilerplate content from
+    # inspec/lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml
+    def self.inspec_yml
+      yml = {}
+      yml['inspec_version'] = '>= 2.3.5'
+      yml['depends'] = [{
+        'name' => 'inspec-gcp',
+        'url' => 'https://github.com/inspec/inspec-gcp/archive/master.tar.gz'
+      }]
+      yml['supports'] = [{
+        'platform' => 'gcp'
+      }]
+      yml
+    end
+  end
+end

data/lib/inspec-iggy/profile_helper.rb CHANGED

@@ -1,46 +1,64 @@
+# -*- coding: utf-8 -*-
 # renders the profile from the parsed files
 require 'yaml'
+require 'inspec-iggy/platforms/aws_helper'
+require 'inspec-iggy/platforms/azure_helper'
+require 'inspec-iggy/platforms/gcp_helper'
 module InspecPlugins
   module Iggy
     class ProfileHelper
       # match the output of 'inspec init profile'
-      def self.render_profile(cli_ui, options, source_file, controls)
+      # inspec/lib/plugins/inspec-init/lib/inspec-init/renderer.rb
+      def self.render_profile(cli, options, source_file, controls, platform = nil)
         name = options[:name]
         overwrite_mode = options[:overwrite]
-        # Create new profile at /Users/mattray/ws/inspec-iggy/foobar
-        full_destination_root_path = Pathname.new(Dir.pwd).join(name)
-        cli_ui.plain_text "Create new profile at #{cli_ui.mark_text(full_destination_root_path)}"
-        if File.exist?(full_destination_root_path) && !overwrite_mode
-          cli_ui.plain_text "#{cli_ui.mark_text(full_destination_root_path)} exists already, use --overwrite"
-          cli_ui.exit(1)
+        #  --------------------------- InSpec Code Generator ---------------------------
+        cli.headline('InSpec Iggy Code Generator')
+        full_destination_path = Pathname.new(Dir.pwd).join(name)
+        if File.exist?(full_destination_path) && !overwrite_mode
+          cli.plain_line "#{cli.emphasis(full_destination_path)} exists already, use --overwrite"
+          cli.exit(1)
         end
-        # ensure that full_destination_root_path directory is available
-        FileUtils.mkdir_p(full_destination_root_path)
-        #  * Create directory controls
-        cli_ui.li "Create directory #{cli_ui.mark_text("#{name}/controls")}"
+        # ensure that full_destination_path directory is available
+        FileUtils.mkdir_p(full_destination_path)
+        # Creating new profile at /Users/mattray/ws/inspec-iggy/FOO
+        cli.plain_line "Creating new profile at #{cli.emphasis(full_destination_path)}"
+        # * Creating file README.md
+        render_readme_md(cli, name, source_file, platform)
+        # * Creating directory controls
+        cli.list_item "Creating directory #{cli.emphasis('controls')}"
         FileUtils.mkdir_p("#{name}/controls")
-        render_readme_md(cli_ui, name, source_file)
-        render_inspec_yml(cli_ui, name, source_file, options)
-        render_controls_rb(cli_ui, name, controls)
+        # * Creating file controls/generated.rb
+        render_controls_rb(cli, name, controls)
+        # * Creating file inspec.yml
+        render_inspec_yml(cli, name, source_file, options, platform)
+        cli.plain_line
       end
-      #  * Create file README.md
-      def self.render_readme_md(cli_ui, name, source_file)
-        render_file = "#{name}/README.md"
-        cli_ui.li "Create file #{cli_ui.mark_text(render_file)}"
-        f = File.new(render_file, 'w')
+      def self.render_readme_md(cli, name, source_file, platform)
+        cli.list_item "Creating file #{cli.emphasis('README.md')}"
+        f = File.new("#{name}/README.md", 'w')
         f.puts("# #{name}")
         f.puts
         f.puts("This profile was generated by InSpec-Iggy v#{Iggy::VERSION} from the #{source_file} source file.")
+        f.puts(InspecPlugins::Iggy::Platforms::AwsHelper.readme) if platform.eql?('aws')
+        f.puts(InspecPlugins::Iggy::Platforms::AzureHelper.readme) if platform.eql?('azure')
+        f.puts(InspecPlugins::Iggy::Platforms::GcpHelper.readme) if platform.eql?('gcp')
         f.close
       end
-      #  * Create file inspec.yml
-      def self.render_inspec_yml(cli_ui, name, source_file, options)
-        render_file = "#{name}/inspec.yml"
-        cli_ui.li "Create file #{cli_ui.mark_text(render_file)}"
+      def self.render_inspec_yml(cli, name, source_file, options, platform)
+        cli.list_item "Creating file #{cli.emphasis('inspec.yml')}"
         yml = {}
         yml['name'] = name
         yml['title'] = options[:title]
@@ -51,16 +69,19 @@ module InspecPlugins
         yml['summary'] = options[:summary]
         yml['version'] = options[:version]
         yml['description'] = "Generated by InSpec-Iggy v#{Iggy::VERSION} from the #{source_file} source file."
-        f = File.new(render_file, 'w')
+        yml.merge!(InspecPlugins::Iggy::Platforms::AwsHelper.inspec_yml) if platform.eql?('aws')
+        yml.merge!(InspecPlugins::Iggy::Platforms::AzureHelper.inspec_yml) if platform.eql?('azure')
+        yml.merge!(InspecPlugins::Iggy::Platforms::GcpHelper.inspec_yml) if platform.eql?('gcp')
+        f = File.new("#{name}/inspec.yml", 'w')
         f.write(yml.to_yaml)
         f.close
       end
-      #  * Create file controls/controls.rb
-      def self.render_controls_rb(cli_ui, name, controls)
-        render_file = "#{name}/controls/controls.rb"
-        cli_ui.li "Create file #{cli_ui.mark_text(render_file)}"
-        f = File.new(render_file, 'w')
+      def self.render_controls_rb(cli, name, controls)
+        cli.list_item "Creating file #{cli.emphasis('controls/generated.rb')}"
+        f = File.new("#{name}/controls/generated.rb", 'w')
         f.write(controls)
         f.close
       end

data/lib/inspec-iggy/terraform/cli_command.rb CHANGED

@@ -4,7 +4,8 @@ require 'inspec/plugin/v2'
 require 'inspec-iggy/version'
 require 'inspec-iggy/profile_helper'
-require 'inspec-iggy/terraform/parser'
+require 'inspec-iggy/terraform/generate'
+require 'inspec-iggy/terraform/negative'
 module InspecPlugins::Iggy
   module Terraform
@@ -20,71 +21,95 @@ module InspecPlugins::Iggy
         say("Iggy v#{InspecPlugins::Iggy::VERSION}")
       end
-      option :debug,
-             desc: 'Verbose debugging messages',
-             type: :boolean,
-             default: false
+      class_option :debug,
+                   desc: 'Verbose debugging messages',
+                   type: :boolean,
+                   default: false
-      option :copyright,
-             desc: 'Name of the copyright holder',
-             default: 'The Authors'
+      class_option :copyright,
+                   desc: 'Name of the copyright holder',
+                   default: 'The Authors'
-      option :email,
-             desc: 'Email address of the author',
-             default: 'you@example.com'
+      class_option :email,
+                   desc: 'Email address of the author',
+                   default: 'you@example.com'
-      option :license,
-             desc: 'License for the profile',
-             default: 'Apache-2.0'
+      class_option :license,
+                   desc: 'License for the profile',
+                   default: 'Apache-2.0'
-      option :maintainer,
-             desc: 'Name of the copyright holder',
-             default: 'The Authors'
+      class_option :maintainer,
+                   desc: 'Name of the copyright holder',
+                   default: 'The Authors'
-      option :summary,
-             desc: 'One line summary for the profile',
-             default: 'An InSpec Compliance Profile'
+      class_option :summary,
+                   desc: 'One line summary for the profile',
+                   default: 'An InSpec Compliance Profile'
-      option :title,
-             desc: 'Human-readable name for the profile',
-             default: 'InSpec Profile'
+      class_option :title,
+                   desc: 'Human-readable name for the profile',
+                   default: 'InSpec Profile'
-      option :version,
-             desc: 'Specify the profile version',
-             default: '0.1.0'
+      class_option :version,
+                   desc: 'Specify the profile version',
+                   default: '0.1.0'
-      option :overwrite,
-             desc: 'Overwrites existing profile directory',
-             type: :boolean,
-             default: false
+      class_option :overwrite,
+                   desc: 'Overwrites existing profile directory',
+                   type: :boolean,
+                   default: false
-      option :name,
-             aliases: '-n',
-             required: true,
-             desc: 'Name of profile to be generated'
+      class_option :name,
+                   aliases: '-n',
+                   required: true,
+                   desc: 'Name of profile to be generated'
-      option :tfstate,
-             aliases: '-t',
-             desc: 'Specify path to the input terraform.tfstate',
-             default: 'terraform.tfstate'
+      class_option :tfstate,
+                   aliases: '-t',
+                   desc: 'Specify path to the input terraform.tfstate',
+                   default: 'terraform.tfstate'
+      class_option :platform,
+                   desc: 'The InSpec platform providing the necessary resources (aws, azure, or gcp)'
+      class_option :resourcepath,
+                   desc: 'Specify path to the InSpec Resource Pack providing the necessary resources'
       desc 'generate [options]', 'Generate InSpec compliance controls from terraform.tfstate'
       def generate
         Inspec::Log.level = :debug if options[:debug]
-        generated_controls = InspecPlugins::Iggy::Terraform::Parser.parse_generate(options[:tfstate])
-        printable_controls = InspecPlugins::Iggy::InspecHelper.tf_controls(options[:title], generated_controls)
-        InspecPlugins::Iggy::ProfileHelper.render_profile(self, options, options[:tfstate], printable_controls)
+        platform = options[:platform]
+        resource_path = options[:resourcepath]
+        # require validation that if platform or resourcepath are passed, both are available
+        if platform or resource_path
+          unless platform and resource_path
+            error 'You must pass both --platform and --resourcepath if using either'
+            exit(1)
+          end
+        end
+        generated_controls = InspecPlugins::Iggy::Terraform::Generate.parse_generate(options[:tfstate], resource_path, platform)
+        printable_controls = InspecPlugins::Iggy::InspecHelper.tf_controls(options[:title], generated_controls, platform)
+        InspecPlugins::Iggy::ProfileHelper.render_profile(ui, options, options[:tfstate], printable_controls, platform)
         exit 0
       end
-      # disabled extract functionality
-      # desc 'extract [options]', 'Extract tagged InSpec profiles from terraform.tfstate'
-      # def extract
-      #   Inspec::Log.level = :debug if options[:debug]
-      #   extracted_profiles = InspecPlugins::Iggy::Terraform::Parser.parse_extract(options[:tfstate])
-      #   puts InspecPlugins::Iggy::InspecHelper.print_commands(extracted_profiles)
-      #   exit 0
-      # end
+      desc 'negative [options]', 'Generate negative InSpec compliance controls from terraform.tfstate'
+      def negative
+        Inspec::Log.level = :debug if options[:debug]
+        platform = options[:platform]
+        resource_path = options[:resourcepath]
+        # require validation that if platform or resourcepath are passed, both are available
+        if platform or resource_path
+          unless platform and resource_path
+            error 'You must pass both --platform and --resourcepath if using either'
+            exit(1)
+          end
+        end
+        negative_controls = InspecPlugins::Iggy::Terraform::Negative.parse_negative(options[:tfstate], resource_path, platform)
+        printable_controls = InspecPlugins::Iggy::InspecHelper.tf_controls(options[:title], negative_controls, platform)
+        InspecPlugins::Iggy::ProfileHelper.render_profile(ui, options, options[:tfstate], printable_controls, platform)
+        exit 0
+      end
     end
   end
 end