inspec-iggy 0.6.0 → 0.7.0

data/lib/inspec-iggy/terraform/cli_command.rb

@@ -1,89 +1,80 @@
 # Terraform CLI command and options
 
-require 'inspec/plugin/v2'
+require "inspec/plugin/v2"
 
-require 'inspec-iggy/version'
-require 'inspec-iggy/profile_helper'
-require 'inspec-iggy/terraform/generate'
-require 'inspec-iggy/terraform/negative'
+require "inspec-iggy/version"
+require "inspec-iggy/profile_helper"
+require "inspec-iggy/terraform/generate"
+require "inspec-iggy/terraform/negative"
 
 module InspecPlugins::Iggy
   module Terraform
     class CliCommand < Inspec.plugin(2, :cli_command)
-      subcommand_desc 'terraform SUBCOMMAND ...', 'Generate an InSpec profile from Terraform'
-
-      # Thor.map(Hash) allows you to make aliases for commands.
-      map('-v' => 'version')         # Treat `inspec terraform -v`` as `inspec terraform version`
-      map('--version' => 'version')  # Treat `inspec terraform -version`` as `inspec terraform version`
-
-      desc 'version', 'Display version information', hide: true
-      def version
-        say("Iggy v#{InspecPlugins::Iggy::VERSION}")
-      end
+      subcommand_desc "terraform SUBCOMMAND ...", "Generate an InSpec profile from Terraform"
 
       class_option :debug,
-                   desc: 'Verbose debugging messages',
+                   desc: "Verbose debugging messages",
                    type: :boolean,
                    default: false
 
       class_option :copyright,
-                   desc: 'Name of the copyright holder',
-                   default: 'The Authors'
+                   desc: "Name of the copyright holder",
+                   default: "The Authors"
 
       class_option :email,
-                   desc: 'Email address of the author',
-                   default: 'you@example.com'
+                   desc: "Email address of the author",
+                   default: "you@example.com"
 
       class_option :license,
-                   desc: 'License for the profile',
-                   default: 'Apache-2.0'
+                   desc: "License for the profile",
+                   default: "Apache-2.0"
 
       class_option :maintainer,
-                   desc: 'Name of the copyright holder',
-                   default: 'The Authors'
+                   desc: "Name of the copyright holder",
+                   default: "The Authors"
 
       class_option :summary,
-                   desc: 'One line summary for the profile',
-                   default: 'An InSpec Compliance Profile'
+                   desc: "One line summary for the profile",
+                   default: "An InSpec Compliance Profile"
 
       class_option :title,
-                   desc: 'Human-readable name for the profile',
-                   default: 'InSpec Profile'
+                   desc: "Human-readable name for the profile",
+                   default: "InSpec Profile"
 
       class_option :version,
-                   desc: 'Specify the profile version',
-                   default: '0.1.0'
+                   desc: "Specify the profile version",
+                   default: "0.1.0"
 
       class_option :overwrite,
-                   desc: 'Overwrites existing profile directory',
+                   desc: "Overwrites existing profile directory",
                    type: :boolean,
                    default: false
 
       class_option :name,
-                   aliases: '-n',
+                   aliases: "-n",
                    required: true,
-                   desc: 'Name of profile to be generated'
+                   desc: "Name of profile to be generated"
 
       class_option :tfstate,
-                   aliases: '-t',
-                   desc: 'Specify path to the input terraform.tfstate',
-                   default: 'terraform.tfstate'
+                   aliases: "-t",
+                   desc: "Specify path to the input terraform.tfstate",
+                   default: "terraform.tfstate"
 
       class_option :platform,
-                   desc: 'The InSpec platform providing the necessary resources (aws, azure, or gcp)'
+                   desc: "The InSpec platform providing the necessary resources (aws, azure, or gcp)"
 
       class_option :resourcepath,
-                   desc: 'Specify path to the InSpec Resource Pack providing the necessary resources'
+                   desc: "Specify path to the InSpec Resource Pack providing the necessary resources"
 
-      desc 'generate [options]', 'Generate InSpec compliance controls from terraform.tfstate'
+      desc "generate [options]", "Generate InSpec compliance controls from terraform.tfstate"
       def generate
         Inspec::Log.level = :debug if options[:debug]
         platform = options[:platform]
         resource_path = options[:resourcepath]
         # require validation that if platform or resourcepath are passed, both are available
-        if platform or resource_path
-          unless platform and resource_path
-            error 'You must pass both --platform and --resourcepath if using either'
+        if platform || resource_path
+          unless platform && resource_path
+            error "You must pass both --platform and --resourcepath if using either"
             exit(1)
           end
         end
@@ -93,15 +84,15 @@ module InspecPlugins::Iggy
         exit 0
       end
 
-      desc 'negative [options]', 'Generate negative InSpec compliance controls from terraform.tfstate'
+      desc "negative [options]", "Generate negative InSpec compliance controls from terraform.tfstate"
       def negative
         Inspec::Log.level = :debug if options[:debug]
         platform = options[:platform]
         resource_path = options[:resourcepath]
         # require validation that if platform or resourcepath are passed, both are available
-        if platform or resource_path
-          unless platform and resource_path
-            error 'You must pass both --platform and --resourcepath if using either'
+        if platform || resource_path
+          unless platform && resource_path
+            error "You must pass both --platform and --resourcepath if using either"
             exit(1)
           end
         end

data/lib/inspec-iggy/terraform/generate.rb

@@ -1,11 +1,11 @@
 # parses Terraform d.tfstate files
 
-require 'inspec/objects/control'
-require 'inspec/objects/ruby_helper'
-require 'inspec/objects/describe'
+require "inspec/objects/control"
+require "inspec/objects/ruby_helper"
+require "inspec/objects/describe"
 
-require 'inspec-iggy/file_helper'
-require 'inspec-iggy/inspec_helper'
+require "inspec-iggy/file_helper"
+require "inspec-iggy/inspec_helper"
 
 module InspecPlugins::Iggy::Terraform
   class Generate
@@ -30,31 +30,30 @@ module InspecPlugins::Iggy::Terraform
     def self.parse_resources(tfstate, resource_path, _platform)
       # iterate over the resources
       resources = {}
-      tfstate['modules'].each do |m|
-        tf_resources = m['resources']
-        tf_resources.keys.each do |tf_res|
-          resource_type = tf_resources[tf_res]['type']
-
-          next if resource_type.eql?('random_id') # this is a Terraform resource, not a provider resource
-
-          # load resource pack resources
-          InspecPlugins::Iggy::InspecHelper.load_resource_pack(resource_path) if resource_path
-
-          # add translation layer
-          if InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES.key?(resource_type)
-            Inspec::Log.debug "Iggy::Terraform::Generate.parse_resources resource_type = #{resource_type} #{InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[resource_type]} TRANSLATED"
-            resource_type = InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[resource_type]
-          end
-          resources[resource_type] = {} if resources[resource_type].nil?
-          # does this match an InSpec resource?
-          if InspecPlugins::Iggy::InspecHelper.available_resources.include?(resource_type)
-            Inspec::Log.debug "Iggy::Terraform::Generate.parse_resources resource_type = #{resource_type} MATCHED"
-            resource_id = tf_resources[tf_res]['primary']['id']
-            resource_attributes = tf_resources[tf_res]['primary']['attributes']
+      tf_resources = tfstate["resources"]
+      tf_resources.each do |tf_res|
+        resource_type = tf_res["type"]
+        next if resource_type.eql?("random_id") # this is a Terraform resource, not a provider resource
+
+        # load resource pack resources
+        InspecPlugins::Iggy::InspecHelper.load_resource_pack(resource_path) if resource_path
+
+        # add translation layer
+        if InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES.key?(resource_type)
+          Inspec::Log.debug "Iggy::Terraform::Generate.parse_resources resource_type = #{resource_type} #{InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[resource_type]} TRANSLATED"
+          resource_type = InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[resource_type]
+        end
+        resources[resource_type] = {} if resources[resource_type].nil?
+        # does this match an InSpec resource?
+        if InspecPlugins::Iggy::InspecHelper.available_resources.include?(resource_type)
+          Inspec::Log.debug "Iggy::Terraform::Generate.parse_resources resource_type = #{resource_type} MATCHED"
+          tf_res["instances"].each do |instance|
+            resource_id = instance["attributes"]["id"]
+            resource_attributes = instance["attributes"]
             resources[resource_type][resource_id] = resource_attributes
-          else
-            Inspec::Log.debug "Iggy::Terraform.Generate.parse_generate resource_type = #{resource_type} SKIPPED"
           end
+        else
+          Inspec::Log.debug "Iggy::Terraform.Generate.parse_generate resource_type = #{resource_type} SKIPPED"
         end
       end
       resources
@@ -71,12 +70,27 @@ module InspecPlugins::Iggy::Terraform
           ctrl.id = "#{resource_type}::#{resource_id}"
           ctrl.title = "InSpec-Iggy #{resource_type}::#{resource_id}"
           ctrl.descriptions[:default] = "#{resource_type}::#{resource_id} from the source file #{absolutename}\nGenerated by InSpec-Iggy v#{InspecPlugins::Iggy::VERSION}"
-          ctrl.impact = '1.0'
+          ctrl.impact = "1.0"
 
           describe = Inspec::Describe.new
-          case platform
-          when 'aws' # rubocop:disable Lint/EmptyWhen
-          when 'azure' # rubocop:disable Lint/EmptyWhen
+          case platform # this may need to get refactored away once Azure is tested
+          when "aws"
+            qualifier = [resource_type, {}]
+            if InspecPlugins::Iggy::InspecHelper.available_resource_qualifiers(platform).key?(resource_type) # there are additional qualifiers
+              first = true
+              InspecPlugins::Iggy::InspecHelper.available_resource_qualifiers(platform)[resource_type].each do |parameter|
+                Inspec::Log.debug "Iggy::Terraform::Generate.parse_controls #{resource_type} qualifier found = #{parameter} MATCHED"
+                if first # this is the id for the resource
+                  value = resources[resource_type][resource_id]["id"] # pull value out of the tf attributes
+                  first = false
+                else
+                  value = resources[resource_type][resource_id][parameter.to_s] # pull value out of the tf attributes
+                end
+                qualifier[1][parameter] = value
+              end
+            end
+            describe.qualifier.push(qualifier)
+          when "azure" # rubocop:disable Lint/EmptyWhen
             # this is a hack for azure, we need a better longterm solution
             # if resource.start_with?('azure_')
             #   name = resource_id.split('/').last
@@ -91,11 +105,11 @@ module InspecPlugins::Iggy::Terraform
             #   resource_group = resource_id.split('resourceGroups/').last.split('/').first
             #   describe.qualifier.push([resource_type, name: name, group_name: resource_group])
             # end
-          when 'gcp'
+          when "gcp"
             qualifier = [resource_type, {}]
             if InspecPlugins::Iggy::InspecHelper.available_resource_qualifiers(platform).key?(resource_type)
               InspecPlugins::Iggy::InspecHelper.available_resource_qualifiers(platform)[resource_type].each do |parameter|
-                Inspec::Log.debug "Iggy::Terraform::Generate.parse_controls #{resource_type}  qualifier found = #{parameter} MATCHED"
+                Inspec::Log.debug "Iggy::Terraform::Generate.parse_controls #{resource_type} qualifier found = #{parameter} MATCHED"
                 value = resources[resource_type][resource_id][parameter.to_s] # pull value out of the tf attributes
                 qualifier[1][parameter] = value
               end
@@ -104,7 +118,7 @@ module InspecPlugins::Iggy::Terraform
           end
 
           # ensure the resource exists unless Azure, which currently doesn't support it as of InSpec 2.2
-          describe.add_test(nil, 'exist', nil) unless resource_type.start_with?('azure_')
+          describe.add_test(nil, "exist", nil) unless resource_type.start_with?("azure_")
 
           # if there's a match, see if there are matching InSpec properties
           inspec_properties = InspecPlugins::Iggy::InspecHelper.resource_properties(resource_type, platform)
@@ -113,7 +127,13 @@ module InspecPlugins::Iggy::Terraform
             if inspec_properties.member?(attr)
               Inspec::Log.debug "Iggy::Terraform::Generate.parse_controls #{resource_type} inspec_property = #{attr} MATCHED"
               value = resources[resource_type][resource_id][attr]
-              describe.add_test(attr, 'cmp', value)
+              if value
+                # check to see if there is a translate for this attr
+                property = InspecPlugins::Iggy::InspecHelper.translated_resource_property(platform, resource_type, attr)
+                describe.add_test(property, "cmp", value)
+              else
+                Inspec::Log.debug "Iggy::Terraform::Generate.parse_controls #{resource_type} inspec_property = #{attr} SKIPPED FOR NIL"
+              end
             else
               Inspec::Log.debug "Iggy::Terraform::Generate.parse_controls #{resource_type} inspec_property = #{attr} SKIPPED"
             end

data/lib/inspec-iggy/terraform/negative.rb

@@ -1,12 +1,14 @@
 # returns negative of Terraform tfstate file coverage
 
-require 'inspec/objects/control'
-require 'inspec/objects/ruby_helper'
-require 'inspec/objects/describe'
+require "hashie"
 
-require 'inspec-iggy/file_helper'
-require 'inspec-iggy/inspec_helper'
-require 'inspec-iggy/terraform/generate'
+require "inspec/objects/control"
+require "inspec/objects/ruby_helper"
+require "inspec/objects/describe"
+
+require "inspec-iggy/file_helper"
+require "inspec-iggy/inspec_helper"
+require "inspec-iggy/terraform/generate"
 
 module InspecPlugins::Iggy::Terraform
   class Negative
@@ -33,21 +35,21 @@ module InspecPlugins::Iggy::Terraform
       unmatched_controls = []
       unmatched_resources.each do |unmatched|
         unresources = InspecPlugins::Iggy::InspecHelper.available_resource_iterators(platform)[unmatched]
-        iterator = unresources['iterator']
+        iterator = unresources["iterator"]
         ctrl = Inspec::Control.new
         ctrl.id = "NEGATIVE-COVERAGE:#{iterator}"
         ctrl.title = "InSpec-Iggy NEGATIVE-COVERAGE:#{iterator}"
         ctrl.descriptions[:default] = "NEGATIVE-COVERAGE:#{iterator} from the source file #{sourcefile}\nGenerated by InSpec-Iggy v#{InspecPlugins::Iggy::VERSION}"
-        ctrl.impact = '1.0'
+        ctrl.impact = "1.0"
         describe = Inspec::Describe.new
         qualifier = [iterator, {}]
-        unresources['qualifiers'].each do |parameter|
+        unresources["qualifiers"].each do |parameter|
           Inspec::Log.debug "Terraform::Negative.parse_unmatched_resources #{iterator} qualifier found = #{parameter} MATCHED"
           value = resources.deep_find(parameter.to_s) # value comes from another likely source. Assumption is values are consistent for this type of field
           qualifier[1][parameter] = value
         end
         describe.qualifier.push(qualifier)
-        describe.add_test(nil, 'exist', nil, { negated: true }) # last field is negated
+        describe.add_test(nil, "exist", nil, { negated: true }) # last field is negated
         ctrl.add_test(describe)
         unmatched_controls.push(ctrl)
       end
@@ -66,8 +68,8 @@ module InspecPlugins::Iggy::Terraform
           Inspec::Log.warn "No iterator matching #{resource} for #{platform} found!"
           next
         else
-          iterator = resource_iterators['iterator']
-          index = resource_iterators['index']
+          iterator = resource_iterators["iterator"]
+          index = resource_iterators["index"]
           Inspec::Log.debug "Terraform::Negative.parse_matched_resources iterator:#{iterator} index:#{index}"
         end
         # Nothing but the finest bespoke hand-built InSpec
@@ -78,25 +80,42 @@ module InspecPlugins::Iggy::Terraform
         ctrl += "    Generated by InSpec-Iggy v#{InspecPlugins::Iggy::VERSION}\"\n\n"
         ctrl += "  impact 1.0\n"
         # get the qualifiers for the resource iterator
-        ctrl += "  (#{iterator}({ "
-        resource_iterators['qualifiers'].each do |parameter|
-          Inspec::Log.debug "Terraform::Negative.parse_matched_resources #{iterator} qualifier found = #{parameter} MATCHED"
-          value = resources[resource].deep_find(parameter.to_s) # value comes from resources being evaluated. Assumption is values are consistent for this type of field
-          ctrl += "#{parameter}: '#{value}', "
+        ctrl += "  (#{iterator}.where({ "
+        if resource_iterators["qualifiers"]
+          resource_iterators["qualifiers"].each do |parameter|
+            Inspec::Log.debug "Terraform::Negative.parse_matched_resources #{iterator} qualifier found = #{parameter} MATCHED"
+            value = resources[resource].deep_find(parameter.to_s) # value comes from resources being evaluated. Assumption is values are consistent for this type of field
+            unless value
+              Inspec::Log.warn "Terraform::Negative.parse_matched_resources #{resource} no #{parameter} value found, searching outside scope."
+              value = resources.deep_find(parameter.to_s)
+            end
+            ctrl += "#{parameter}: '#{value}', "
+          end
         end
         ctrl += "}).#{index} - [\n"
         # iterate over the resources
         resources[resource].keys.each do |resource_name|
           ctrl += "    '#{resource_name}',\n"
         end
-        ctrl += "  ]).each do |name|\n"
-        ctrl += "    describe #{resource}({ name: name, "
+        ctrl += "  ]).each do |id|\n"
+        ctrl += "    describe #{resource}({ "
         # iterate over resource qualifiers
+        first = true
         InspecPlugins::Iggy::InspecHelper.available_resource_qualifiers(platform)[resource].each do |parameter|
-          next if parameter.eql?(:name)
-          Inspec::Log.debug "Iggy::Terraform::Negative.parse_matched_resources #{resource} qualifier found = #{parameter} MATCHED"
-          value = resources[resource].deep_find(parameter.to_s) # value comes from resources being evaluated. Assumption is values are consistent for this type of field
-          ctrl += "#{parameter}: '#{value}', "
+          if first # index is first
+            ctrl += "#{parameter}: id, "
+            first = false
+            next
+          end
+          property = parameter.to_s
+          properties = InspecPlugins::Iggy::InspecHelper.available_translated_resource_properties(platform, resource)
+          if properties && properties.value?(parameter.to_s)
+            property = properties.key(parameter.to_s) # translate back if necessary
+          end
+          # instead of looking up the key, find by value?
+          Inspec::Log.debug "Iggy::Terraform::Negative.parse_matched_resources #{resource} qualifier found = #{property} MATCHED"
+          value = resources[resource].deep_find(property) # value comes from resources being evaluated. Assumption is values are consistent for this type of field
+          ctrl += "#{property}: '#{value}', "
         end
         ctrl += "}) do\n"
         ctrl += "      it { should_not exist }\n"

data/lib/inspec-iggy/version.rb

@@ -2,6 +2,6 @@
 
 module InspecPlugins
   module Iggy
-    VERSION = '0.6.0'.freeze
+    VERSION = "0.7.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-iggy
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Matt Ray
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-15 00:00:00.000000000 Z
+date: 2019-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inspec
@@ -16,7 +16,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '3'
     - - "<"
       - !ruby/object:Gem::Version
         version: '5'
@@ -26,7 +26,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: '3'
     - - "<"
       - !ruby/object:Gem::Version
         version: '5'
@@ -45,6 +45,7 @@ files:
 - lib/inspec-iggy/cloudformation/cli_command.rb
 - lib/inspec-iggy/cloudformation/generate.rb
 - lib/inspec-iggy/file_helper.rb
+- lib/inspec-iggy/iggy_cli_command.rb
 - lib/inspec-iggy/inspec_helper.rb
 - lib/inspec-iggy/platforms/aws_helper.rb
 - lib/inspec-iggy/platforms/azure_helper.rb