inspec-iggy 0.5.0 → 0.6.0

data/lib/inspec-iggy/terraform/generate.rb

@@ -0,0 +1,130 @@
+# parses Terraform d.tfstate files
+
+require 'inspec/objects/control'
+require 'inspec/objects/ruby_helper'
+require 'inspec/objects/describe'
+
+require 'inspec-iggy/file_helper'
+require 'inspec-iggy/inspec_helper'
+
+module InspecPlugins::Iggy::Terraform
+  class Generate
+    # parse through the JSON and generate InSpec controls
+    def self.parse_generate(tf_file, resource_path, platform)
+      # parse the tfstate file to get the Terraform resources
+      tfstate = InspecPlugins::Iggy::FileHelper.parse_json(tf_file)
+      absolutename = File.absolute_path(tf_file)
+
+      # take those Terraform resources and map to InSpec resources by name and keep all attributes
+      # resources -> [{name1 -> {unfiltered_attributes}, name2 -> {unfiltered_attributes}]
+      parsed_resources = parse_resources(tfstate, resource_path, platform)
+
+      # InSpec controls generated from matched_resources and attributes
+      generated_controls = parse_controls(parsed_resources, absolutename, platform)
+
+      Inspec::Log.debug "Iggy::Terraform::Generate.parse_generate generated_controls = #{generated_controls}"
+      generated_controls
+    end
+
+    # returns the list of all InSpec resources found in the tfstate file
+    def self.parse_resources(tfstate, resource_path, _platform)
+      # iterate over the resources
+      resources = {}
+      tfstate['modules'].each do |m|
+        tf_resources = m['resources']
+        tf_resources.keys.each do |tf_res|
+          resource_type = tf_resources[tf_res]['type']
+
+          next if resource_type.eql?('random_id') # this is a Terraform resource, not a provider resource
+
+          # load resource pack resources
+          InspecPlugins::Iggy::InspecHelper.load_resource_pack(resource_path) if resource_path
+
+          # add translation layer
+          if InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES.key?(resource_type)
+            Inspec::Log.debug "Iggy::Terraform::Generate.parse_resources resource_type = #{resource_type} #{InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[resource_type]} TRANSLATED"
+            resource_type = InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[resource_type]
+          end
+          resources[resource_type] = {} if resources[resource_type].nil?
+          # does this match an InSpec resource?
+          if InspecPlugins::Iggy::InspecHelper.available_resources.include?(resource_type)
+            Inspec::Log.debug "Iggy::Terraform::Generate.parse_resources resource_type = #{resource_type} MATCHED"
+            resource_id = tf_resources[tf_res]['primary']['id']
+            resource_attributes = tf_resources[tf_res]['primary']['attributes']
+            resources[resource_type][resource_id] = resource_attributes
+          else
+            Inspec::Log.debug "Iggy::Terraform.Generate.parse_generate resource_type = #{resource_type} SKIPPED"
+          end
+        end
+      end
+      resources
+    end
+
+    # take the resources and map to describes
+    def self.parse_controls(resources, absolutename, platform) # rubocop:disable Metrics/AbcSize
+      controls = []
+      # iterate over the resources types and their ids
+      resources.keys.each do |resource_type|
+        resources[resource_type].keys.each do |resource_id|
+          # insert new control based off the resource's ID
+          ctrl = Inspec::Control.new
+          ctrl.id = "#{resource_type}::#{resource_id}"
+          ctrl.title = "InSpec-Iggy #{resource_type}::#{resource_id}"
+          ctrl.descriptions[:default] = "#{resource_type}::#{resource_id} from the source file #{absolutename}\nGenerated by InSpec-Iggy v#{InspecPlugins::Iggy::VERSION}"
+          ctrl.impact = '1.0'
+
+          describe = Inspec::Describe.new
+          case platform
+          when 'aws' # rubocop:disable Lint/EmptyWhen
+          when 'azure' # rubocop:disable Lint/EmptyWhen
+            # this is a hack for azure, we need a better longterm solution
+            # if resource.start_with?('azure_')
+            #   name = resource_id.split('/').last
+            # else
+            #   name = resource_id
+            # end
+
+            # if resource_type.start_with?('azure_')
+            # if resource_type.eql?('azure_resource_group')
+            #   describe.qualifier.push([resource_type, name: name])
+            # else
+            #   resource_group = resource_id.split('resourceGroups/').last.split('/').first
+            #   describe.qualifier.push([resource_type, name: name, group_name: resource_group])
+            # end
+          when 'gcp'
+            qualifier = [resource_type, {}]
+            if InspecPlugins::Iggy::InspecHelper.available_resource_qualifiers(platform).key?(resource_type)
+              InspecPlugins::Iggy::InspecHelper.available_resource_qualifiers(platform)[resource_type].each do |parameter|
+                Inspec::Log.debug "Iggy::Terraform::Generate.parse_controls #{resource_type}  qualifier found = #{parameter} MATCHED"
+                value = resources[resource_type][resource_id][parameter.to_s] # pull value out of the tf attributes
+                qualifier[1][parameter] = value
+              end
+            end
+            describe.qualifier.push(qualifier)
+          end
+
+          # ensure the resource exists unless Azure, which currently doesn't support it as of InSpec 2.2
+          describe.add_test(nil, 'exist', nil) unless resource_type.start_with?('azure_')
+
+          # if there's a match, see if there are matching InSpec properties
+          inspec_properties = InspecPlugins::Iggy::InspecHelper.resource_properties(resource_type, platform)
+          # push stuff back into inspec_properties?
+          resources[resource_type][resource_id].keys.each do |attr|
+            if inspec_properties.member?(attr)
+              Inspec::Log.debug "Iggy::Terraform::Generate.parse_controls #{resource_type} inspec_property = #{attr} MATCHED"
+              value = resources[resource_type][resource_id][attr]
+              describe.add_test(attr, 'cmp', value)
+            else
+              Inspec::Log.debug "Iggy::Terraform::Generate.parse_controls #{resource_type} inspec_property = #{attr} SKIPPED"
+            end
+          end
+
+          ctrl.add_test(describe)
+          controls.push(ctrl)
+        end
+      end
+      Inspec::Log.debug "Iggy::Terraform::Generate.parse_generate controls = #{controls}"
+      controls
+    end
+  end
+end

data/lib/inspec-iggy/terraform/negative.rb

@@ -0,0 +1,112 @@
+# returns negative of Terraform tfstate file coverage
+
+require 'inspec/objects/control'
+require 'inspec/objects/ruby_helper'
+require 'inspec/objects/describe'
+
+require 'inspec-iggy/file_helper'
+require 'inspec-iggy/inspec_helper'
+require 'inspec-iggy/terraform/generate'
+
+module InspecPlugins::Iggy::Terraform
+  class Negative
+    # parse through the JSON and generate InSpec controls
+    def self.parse_negative(tf_file, resource_path, platform)
+      tfstate = InspecPlugins::Iggy::FileHelper.parse_json(tf_file)
+      sourcefile = File.absolute_path(tf_file)
+
+      # take those Terraform resources and map to InSpec resources by name and keep all attributes
+      parsed_resources = InspecPlugins::Iggy::Terraform::Generate.parse_resources(tfstate, resource_path, platform)
+
+      # subtract matched resources from all available resources
+      negative_controls = parse_unmatched_resources(parsed_resources, sourcefile, platform)
+      negative_controls += parse_matched_resources(parsed_resources, sourcefile, platform)
+
+      negative_controls
+    end
+
+    # return controls for the iterators of things unmatched in the terraform.tfstate
+    def self.parse_unmatched_resources(resources, sourcefile, platform)
+      resources.extend Hashie::Extensions::DeepFind # use to find iterators' values from other attributes
+      unmatched_resources = InspecPlugins::Iggy::InspecHelper.available_resource_iterators(platform).keys - resources.keys
+      Inspec::Log.debug "Terraform::Negative.parse_unmatched_resources unmatched_resources #{unmatched_resources}"
+      unmatched_controls = []
+      unmatched_resources.each do |unmatched|
+        unresources = InspecPlugins::Iggy::InspecHelper.available_resource_iterators(platform)[unmatched]
+        iterator = unresources['iterator']
+        ctrl = Inspec::Control.new
+        ctrl.id = "NEGATIVE-COVERAGE:#{iterator}"
+        ctrl.title = "InSpec-Iggy NEGATIVE-COVERAGE:#{iterator}"
+        ctrl.descriptions[:default] = "NEGATIVE-COVERAGE:#{iterator} from the source file #{sourcefile}\nGenerated by InSpec-Iggy v#{InspecPlugins::Iggy::VERSION}"
+        ctrl.impact = '1.0'
+        describe = Inspec::Describe.new
+        qualifier = [iterator, {}]
+        unresources['qualifiers'].each do |parameter|
+          Inspec::Log.debug "Terraform::Negative.parse_unmatched_resources #{iterator} qualifier found = #{parameter} MATCHED"
+          value = resources.deep_find(parameter.to_s) # value comes from another likely source. Assumption is values are consistent for this type of field
+          qualifier[1][parameter] = value
+        end
+        describe.qualifier.push(qualifier)
+        describe.add_test(nil, 'exist', nil, { negated: true }) # last field is negated
+        ctrl.add_test(describe)
+        unmatched_controls.push(ctrl)
+      end
+      Inspec::Log.debug "Terraform::Negative.parse_unmatched_resources negative_controls = #{unmatched_controls}"
+      unmatched_controls
+    end
+
+    # controls for iterators minus the matched resources
+    def self.parse_matched_resources(resources, sourcefile, platform) # rubocop:disable Metrics/AbcSize
+      Inspec::Log.debug "Terraform::Negative.parse_matched_resources matched_resources #{resources.keys}"
+      matched_controls = []
+      resources.keys.each do |resource|
+        resources[resource].extend Hashie::Extensions::DeepFind # use to find iterators' values from other attributes
+        resource_iterators = InspecPlugins::Iggy::InspecHelper.available_resource_iterators(platform)[resource]
+        if resource_iterators.nil?
+          Inspec::Log.warn "No iterator matching #{resource} for #{platform} found!"
+          next
+        else
+          iterator = resource_iterators['iterator']
+          index = resource_iterators['index']
+          Inspec::Log.debug "Terraform::Negative.parse_matched_resources iterator:#{iterator} index:#{index}"
+        end
+        # Nothing but the finest bespoke hand-built InSpec
+        ctrl =  "control 'NEGATIVE-COVERAGE:#{iterator}' do\n"
+        ctrl += "  title 'InSpec-Iggy NEGATIVE-COVERAGE:#{iterator}'\n"
+        ctrl += "  desc \"\n"
+        ctrl += "    NEGATIVE-COVERAGE:#{iterator} from the source file #{sourcefile}\n\n"
+        ctrl += "    Generated by InSpec-Iggy v#{InspecPlugins::Iggy::VERSION}\"\n\n"
+        ctrl += "  impact 1.0\n"
+        # get the qualifiers for the resource iterator
+        ctrl += "  (#{iterator}({ "
+        resource_iterators['qualifiers'].each do |parameter|
+          Inspec::Log.debug "Terraform::Negative.parse_matched_resources #{iterator} qualifier found = #{parameter} MATCHED"
+          value = resources[resource].deep_find(parameter.to_s) # value comes from resources being evaluated. Assumption is values are consistent for this type of field
+          ctrl += "#{parameter}: '#{value}', "
+        end
+        ctrl += "}).#{index} - [\n"
+        # iterate over the resources
+        resources[resource].keys.each do |resource_name|
+          ctrl += "    '#{resource_name}',\n"
+        end
+        ctrl += "  ]).each do |name|\n"
+        ctrl += "    describe #{resource}({ name: name, "
+        # iterate over resource qualifiers
+        InspecPlugins::Iggy::InspecHelper.available_resource_qualifiers(platform)[resource].each do |parameter|
+          next if parameter.eql?(:name)
+          Inspec::Log.debug "Iggy::Terraform::Negative.parse_matched_resources #{resource} qualifier found = #{parameter} MATCHED"
+          value = resources[resource].deep_find(parameter.to_s) # value comes from resources being evaluated. Assumption is values are consistent for this type of field
+          ctrl += "#{parameter}: '#{value}', "
+        end
+        ctrl += "}) do\n"
+        ctrl += "      it { should_not exist }\n"
+        ctrl += "    end\n"
+        ctrl += "  end\n"
+        ctrl += "end\n\n"
+        matched_controls.push(ctrl)
+      end
+      Inspec::Log.debug "Terraform::Negative.parse_matched_resources negative_controls = #{matched_controls}"
+      matched_controls
+    end
+  end
+end

data/lib/inspec-iggy/version.rb

@@ -2,6 +2,6 @@
 
 module InspecPlugins
   module Iggy
-    VERSION = '0.5.0'.freeze
+    VERSION = '0.6.0'.freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-iggy
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Matt Ray
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-29 00:00:00.000000000 Z
+date: 2019-07-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inspec
@@ -19,7 +19,7 @@ dependencies:
         version: '2.3'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: '5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,9 +29,9 @@ dependencies:
         version: '2.3'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 4.0.0
-description: InSpec plugin to generate InSpec compliance profiles from Terraform and
-  CloudFormation.
+        version: '5'
+description: InSpec plugin to generate InSpec profiles from Terraform and CloudFormation
+  to ensure automatic compliance coverage.
 email:
 - matt@chef.io
 executables: []
@@ -43,13 +43,17 @@ files:
 - inspec-iggy.gemspec
 - lib/inspec-iggy.rb
 - lib/inspec-iggy/cloudformation/cli_command.rb
-- lib/inspec-iggy/cloudformation/parser.rb
+- lib/inspec-iggy/cloudformation/generate.rb
 - lib/inspec-iggy/file_helper.rb
 - lib/inspec-iggy/inspec_helper.rb
+- lib/inspec-iggy/platforms/aws_helper.rb
+- lib/inspec-iggy/platforms/azure_helper.rb
+- lib/inspec-iggy/platforms/gcp_helper.rb
 - lib/inspec-iggy/plugin.rb
 - lib/inspec-iggy/profile_helper.rb
 - lib/inspec-iggy/terraform/cli_command.rb
-- lib/inspec-iggy/terraform/parser.rb
+- lib/inspec-iggy/terraform/generate.rb
+- lib/inspec-iggy/terraform/negative.rb
 - lib/inspec-iggy/version.rb
 homepage: https://github.com/mattray/inspec-iggy
 licenses:

data/lib/inspec-iggy/terraform/parser.rb

@@ -1,148 +0,0 @@
-# parses Terraform d.tfstate files
-
-require 'inspec/objects/control'
-require 'inspec/objects/ruby_helper'
-require 'inspec/objects/describe'
-
-require 'inspec-iggy/file_helper'
-require 'inspec-iggy/inspec_helper'
-
-module InspecPlugins::Iggy::Terraform
-  class Parser
-    # disabled extract functionality
-    # makes it easier to change out later
-    # TAG_NAME = 'iggy_name_'.freeze
-    # TAG_URL = 'iggy_url_'.freeze
-
-    # parse through the JSON and generate InSpec controls
-    def self.parse_generate(tf_file) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
-      tfstate = InspecPlugins::Iggy::FileHelper.parse_json(tf_file)
-      absolutename = File.absolute_path(tf_file)
-
-      # InSpec controls generated
-      generated_controls = []
-
-      # iterate over the resources
-      tfstate['modules'].each do |m|
-        tf_resources = m['resources']
-        tf_resources.keys.each do |tf_res|
-          tf_res_type = tf_resources[tf_res]['type']
-
-          # add translation layer
-          if InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES.key?(tf_res_type)
-            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} #{InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[tf_res_type]} TRANSLATED"
-            tf_res_type = InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[tf_res_type]
-          end
-
-          # does this match an InSpec resource?
-          if InspecPlugins::Iggy::InspecHelper::RESOURCES.include?(tf_res_type)
-            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} MATCHED"
-            tf_res_id = tf_resources[tf_res]['primary']['id']
-
-            # insert new control based off the resource's ID
-            ctrl = Inspec::Control.new
-            ctrl.id = "#{tf_res_type}::#{tf_res_id}"
-            ctrl.title = "InSpec-Iggy #{tf_res_type}::#{tf_res_id}"
-            ctrl.descriptions[:default] = "#{tf_res_type}::#{tf_res_id} from the source file #{absolutename}\nGenerated by InSpec-Iggy v#{InspecPlugins::Iggy::VERSION}"
-            ctrl.impact = '1.0'
-
-            describe = Inspec::Describe.new
-            # describes the resource with the name as argument
-            # this is a hack for azure, we need a better longterm solution
-            if tf_res_type.start_with?('azure_')
-              name = tf_res_id.split('/').last
-            else
-              name = tf_res_id
-            end
-
-            # describes the resource with the id as argument
-            # going to need to move the special Azure code out, and add helpers for each provider
-            if tf_res_type.start_with?('azure_')
-              if tf_res_type.eql?('azure_resource_group')
-                describe.qualifier.push([tf_res_type, name: name])
-              else
-                resource_group = tf_res_id.split('resourceGroups/').last.split('/').first
-                describe.qualifier.push([tf_res_type, name: name, group_name: resource_group])
-              end
-            else
-              describe.qualifier.push([tf_res_type, tf_res_id])
-            end
-
-            # ensure the resource exists unless Azure, which currently doesn't support it as of InSpec 2.2
-            describe.add_test(nil, 'exist', nil) unless tf_res_type.start_with?('azure_')
-
-            # if there's a match, see if there are matching InSpec properties
-            inspec_properties = InspecPlugins::Iggy::InspecHelper.resource_properties(tf_res_type)
-            # push stuff back into inspec_properties?
-            inspec_properties.push('name') if tf_res_type.start_with?('azure_')
-            tf_resources[tf_res]['primary']['attributes'].keys.each do |attr|
-              if inspec_properties.member?(attr)
-                Inspec::Log.debug "Iggy::Terraform.parse_generate #{tf_res_type} inspec_property = #{attr} MATCHED"
-                value = tf_resources[tf_res]['primary']['attributes'][attr]
-                describe.add_test(attr, 'cmp', value)
-              else
-                Inspec::Log.debug "Iggy::Terraform.parse_generate #{tf_res_type} inspec_property = #{attr} SKIPPED"
-              end
-            end
-
-            ctrl.add_test(describe)
-            generated_controls.push(ctrl)
-          else
-            Inspec::Log.debug "Iggy::Terraform.parse_generate tf_res_type = #{tf_res_type} SKIPPED"
-          end
-        end
-      end
-      Inspec::Log.debug "Iggy::Terraform.parse_generate generated_controls = #{generated_controls}"
-      generated_controls
-    end
-
-    # disabled extract functionality
-    # # parse through the JSON for the tagged Resources
-    # def self.parse_extract(file)
-    #   tfstate = parse_tfstate(file)
-    #   # InSpec profiles extracted
-    #   extracted_profiles = {}
-
-    #   # iterate over the resources
-    #   tf_resources = tfstate['modules'][0]['resources']
-    #   tf_resources.keys.each do |tf_res|
-    #     tf_res_id = tf_resources[tf_res]['primary']['id']
-
-    #     # get the attributes, see if any of them have a tagged profile attached
-    #     tf_resources[tf_res]['primary']['attributes'].keys.each do |attr|
-    #       next unless attr.start_with?('tags.' + TAG_NAME)
-    #       Inspec::Log.debug "Iggy::Terraform.parse_extract tf_res = #{tf_res} attr = #{attr} MATCHED TAG"
-    #       # get the URL and the name of the profiles
-    #       name = attr.split(TAG_NAME)[1]
-    #       url = tf_resources[tf_res]['primary']['attributes']["tags.#{TAG_URL}#{name}"]
-    #       if tf_res.start_with?('aws_vpc') # should this be VPC or subnet?
-    #         # if it's a VPC, store it as the VPC id + name
-    #         key = tf_res_id + ':' + name
-    #         Inspec::Log.debug "Iggy::Terraform.parse_extract aws_vpc tagged with InSpec #{key}"
-    #         extracted_profiles[key] = {
-    #           'type' => 'aws_vpc',
-    #           'az' => 'us-west-2',
-    #           'url' => url,
-    #         }
-    #       elsif tf_res.start_with?('aws_instance')
-    #         # if it's a node, get information about the IP and SSH/WinRM
-    #         key = tf_res_id + ':' + name
-    #         Inspec::Log.debug "Iggy::Terraform.parse_extract aws_instance tagged with InSpec #{key}"
-    #         extracted_profiles[key] = {
-    #           'type' => 'aws_instance',
-    #           'public_ip' => tf_resources[tf_res]['primary']['attributes']['public_ip'],
-    #           'key_name' => tf_resources[tf_res]['primary']['attributes']['key_name'],
-    #           'url' => url,
-    #         }
-    #       else
-    #         # should generic AWS just be the default except for instances?
-    #         STDERR.puts "ERROR: #{file} #{tf_res_id} has an InSpec-tagged resource but #{tf_res} is currently unsupported."
-    #         exit(-1)
-    #       end
-    #     end
-    #   end
-    #   Inspec::Log.debug "Iggy::Terraform.parse_extract extracted_profiles = #{extracted_profiles}"
-    #   extracted_profiles
-    # end
-  end
-end