inspec-iggy 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2fda35bc2132112d64bad18dab4c2082adb075b9e9a4f9e809297dcba8f34512
-  data.tar.gz: 3ece40720d734afcb5af8acd8eb54e193dc70c28ca4c87d38bf6d62bcb7c9637
+  metadata.gz: 937720e2817669251c145140bb5a1a7c168fd2afa66a02fe3313028facbee416
+  data.tar.gz: 787196902a3ce2826b11498a38b7ddad33ba7f28e73f37d32c1924889fd51f48
 SHA512:
-  metadata.gz: 1e34a5bee669e7e63948af184efe3395c45cc46e270d0ed929a8a3d11787d3a5c14f0827ab911050a0a9e1b8be00e32fca212d303b31f46e45c80d4b1119ccc1
-  data.tar.gz: 99ef09d4c2fd5d30896b934b7eda623f37ff24f018bc143dcb1f87f19ba13d70b6f6f620feb38dc44d99eac042baf801e48c77c6203cae796850bb4e316a8925
+  metadata.gz: 0e10cdd048643efe66f40c294f97297eaad4f0652d59951f7a77afa7859d27990e32feee91cc841e261a9b30b5af1b1b12a8b712f412ad02011faf5826478907
+  data.tar.gz: bc13bd1ab48457f3c335f839454aa4605aa146c8e0c0393da051709af8fb8b92f0e5ecc8c1d7c286bb54d78b5efe36a40e63f44cbd236a97a0af137dcfac5289

data/Gemfile

@@ -11,3 +11,22 @@ group :test do
   gem 'm'
   gem 'pry-byebug'
 end
+
+group :aws do
+  #  gem 'aws-sdk', '~> 3'
+  gem 'aws-sdk-autoscaling', '~> 1'
+  gem 'aws-sdk-cloudtrail', '~> 1'
+  gem 'aws-sdk-cloudwatch', '~> 1'
+  gem 'aws-sdk-cloudwatchlogs', '~> 1'
+  gem 'aws-sdk-configservice', '~> 1'
+  gem 'aws-sdk-ec2', '~> 1'
+  gem 'aws-sdk-ecs', '~> 1'
+  gem 'aws-sdk-eks', '~> 1'
+  gem 'aws-sdk-elasticloadbalancing', '~> 1'
+  gem 'aws-sdk-iam', '~> 1'
+  gem 'aws-sdk-organizations', '~> 1'
+  gem 'aws-sdk-rds', '~> 1'
+  gem 'aws-sdk-s3', '~> 1'
+  gem 'aws-sdk-sns', '~> 1'
+  gem 'aws-sdk-sqs', '~> 1'
+end

data/README.md

@@ -16,8 +16,9 @@ The [CHANGELOG.md](https://github.com/mattray/iggy/blob/master/CHANGELOG.md) cov
 2. [Support](#support)
 3. [Installation](#installation)
 4. [InSpec Terraform Generate](#itg)
-5. [InSpec Cloudformation Generate](#icg)
-6. [Development and Testing](#development)
+5. [InSpec Terraform Negative](#itn)
+6. [InSpec Cloudformation Generate](#icg)
+7. [Development and Testing](#development)
 
 # Support<a name="support"></a>
 
@@ -39,7 +40,7 @@ Written and tested with Ruby 2.6.
 
     inspec terraform generate --tfstate terraform.tfstate --name myprofile
 
-Iggy dynamically pulls the available AWS resources from InSpec and attempts to map them to Terraform resources, producing an InSpec profile. ```inspec terraform generate --help``` will show all available options.
+Iggy dynamically pulls the available Cloud resources from InSpec and attempts to map them to Terraform resources, producing an InSpec profile. ```inspec terraform generate --help``` will show all available options.
 
 ## Usage
 
@@ -58,6 +59,36 @@ Iggy dynamically pulls the available AWS resources from InSpec and attempts to m
      [--debug], [--no-debug]          Verbose debugging messages
      [--log-level=LOG_LEVEL]          Set the log level: info (default), debug, warn, error
      [--log-location=LOG_LOCATION]    Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
+     [--platform=gcp|aws|azure]       Cloud provider name
+     [--resourcepath=INSPEC_CLOUD_RESOURCE_PATH] Location of inspec-gcp|inspec-aws|inspec-azure resources
+     Note: --resourcepath should point to the directory where inspec-<cloud_provider> resource pack is downloaded/cloned from Github.
+
+# InSpec Terraform Negative<a name="itn"></a>
+
+    inspec terraform negative --tfstate terraform.tfstate --name myprofile
+
+Iggy dynamically pulls the available Cloud resources from InSpec and attempts to map them to Terraform resources, producing an InSpec profile which are not part of tfstate file. It informs the user that these resources are not part of tfstate file and can be deleted if not needed.```inspec terraform negative --help``` will show all available options.
+
+## Usage
+
+    inspec terraform negative [options] -n, --name=NAME
+
+     -n, --name=NAME                  Name of profile to be generated (required)
+     -t, [--tfstate=TFSTATE]          Specify path to the input terraform.tfstate (default: .)
+     [--copyright=COPYRIGHT]          Name of the copyright holder (default: The Authors)
+     [--email=EMAIL]                  Email address of the author (default: you@example.com)
+     [--license=LICENSE]              License for the profile (default: Apache-2.0)
+     [--maintainer=MAINTAINER]        Name of the copyright holder (default: The Authors)
+     [--summary=SUMMARY]              One line summary for the profile (default: An InSpec Compliance Profile)
+     [--title=TITLE]                  Human-readable name for the profile (default: InSpec Profile)
+     [--version=VERSION]              Specify the profile version (default: 0.1.0)
+     [--overwrite], [--no-overwrite]  Overwrites existing profile directory
+     [--debug], [--no-debug]          Verbose debugging messages
+     [--log-level=LOG_LEVEL]          Set the log level: info (default), debug, warn, error
+     [--log-location=LOG_LOCATION]    Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
+     [--platform=gcp|aws|azure]       Cloud provider name
+     [--resourcepath=INSPEC_CLOUD_RESOURCE_PATH] Location of inspec-gcp|inspec-aws|inspec-azure resources
+     Note: --resourcepath should point to the directory where inspec-<cloud_provider> resource pack is downloaded/cloned from Github.
 
 # InSpec CloudFormation Generate<a name="icg"></a>
 

data/inspec-iggy.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
   spec.authors     = ['Matt Ray']
   spec.email       = ['matt@chef.io']
   spec.summary     = 'InSpec plugin to generate InSpec compliance profiles from Terraform and CloudFormation.'
-  spec.description = 'InSpec plugin to generate InSpec compliance profiles from Terraform and CloudFormation.'
+  spec.description = 'InSpec plugin to generate InSpec profiles from Terraform and CloudFormation to ensure automatic compliance coverage.'
   spec.homepage    = 'https://github.com/mattray/inspec-iggy'
   spec.license     = 'Apache-2.0'
 
@@ -22,5 +22,5 @@ Gem::Specification.new do |spec|
 
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'inspec', '>=2.3', '<4.0.0'
+  spec.add_dependency 'inspec', '>=2.3', '<5'
 end

data/lib/inspec-iggy/cloudformation/cli_command.rb

@@ -4,7 +4,7 @@ require 'inspec/plugin/v2'
 
 require 'inspec-iggy/version'
 require 'inspec-iggy/profile_helper'
-require 'inspec-iggy/cloudformation/parser'
+require 'inspec-iggy/cloudformation/generate'
 
 module InspecPlugins::Iggy
   module CloudFormation
@@ -77,9 +77,9 @@ module InspecPlugins::Iggy
       def generate
         Inspec::Log.level = :debug if options[:debug]
         # hash of generated controls
-        generated_controls = InspecPlugins::Iggy::CloudFormation::Parser.parse_generate(options[:template])
+        generated_controls = InspecPlugins::Iggy::CloudFormation::Generate.parse_generate(options[:template])
         printable_controls = InspecPlugins::Iggy::InspecHelper.cfn_controls(options[:title], generated_controls, options[:stack])
-        InspecPlugins::Iggy::ProfileHelper.render_profile(self, options, options[:template], printable_controls)
+        InspecPlugins::Iggy::ProfileHelper.render_profile(ui, options, options[:template], printable_controls)
         exit 0
       end
     end

data/lib/inspec-iggy/cloudformation/{parser.rb → generate.rb}

@@ -8,7 +8,7 @@ require 'inspec-iggy/file_helper'
 require 'inspec-iggy/inspec_helper'
 
 module InspecPlugins::Iggy::CloudFormation
-  class Parser
+  class Generate
     # parse through the JSON and generate InSpec controls
     def self.parse_generate(cfn_template) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
       template = InspecPlugins::Iggy::FileHelper.parse_json(cfn_template)
@@ -27,13 +27,13 @@ module InspecPlugins::Iggy::CloudFormation
 
         # add translation layer
         if InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES.key?(cfn_res_type)
-          Inspec::Log.debug "CloudFormation.parse_generate cfn_res_type = #{cfn_res_type} #{InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[cfn_res_type]} TRANSLATED"
+          Inspec::Log.debug "CloudFormation::Generate.parse_generate cfn_res_type = #{cfn_res_type} #{InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[cfn_res_type]} TRANSLATED"
           cfn_res_type = InspecPlugins::Iggy::InspecHelper::TRANSLATED_RESOURCES[cfn_res_type]
         end
 
         # does this match an InSpec resource?
-        if InspecPlugins::Iggy::InspecHelper::RESOURCES.include?(cfn_res_type)
-          Inspec::Log.debug "CloudFormation.parse_generate cfn_res_type = #{cfn_res_type} MATCHED"
+        if InspecPlugins::Iggy::InspecHelper.available_resources.include?(cfn_res_type)
+          Inspec::Log.debug "CloudFormation::Generate.parse_generate cfn_res_type = #{cfn_res_type} MATCHED"
 
           # insert new control based off the resource's ID
           ctrl = Inspec::Control.new
@@ -53,13 +53,13 @@ module InspecPlugins::Iggy::CloudFormation
           describe.add_test(nil, 'be_running', nil) if cfn_res_type.eql?('aws_ec2_instance')
 
           # if there's a match, see if there are matching InSpec properties
-          inspec_properties = InspecPlugins::Iggy::InspecHelper.resource_properties(cfn_res_type)
+          inspec_properties = InspecPlugins::Iggy::InspecHelper.resource_properties(cfn_res_type, 'aws')
           cfn_resources[cfn_res]['Properties'].keys.each do |attr|
             # insert '_' on the CamelCase to get camel_case
             attr_split = attr.split(/(?=[A-Z])/)
             property = attr_split.join('_').downcase
             if inspec_properties.member?(property)
-              Inspec::Log.debug "CloudFormation.parse_generate #{cfn_res_type} inspec_property = #{property} MATCHED"
+              Inspec::Log.debug "CloudFormation::Generate.parse_generate #{cfn_res_type} inspec_property = #{property} MATCHED"
               value = cfn_resources[cfn_res]['Properties'][attr]
               if (value.is_a? Hash) || (value.is_a? Array)
                 #  these get replaced at inspec exec
@@ -77,16 +77,16 @@ module InspecPlugins::Iggy::CloudFormation
                 describe.add_test(property, 'cmp', value)
               end
             else
-              Inspec::Log.debug "CloudFormation.parse_generate #{cfn_res_type} inspec_property = #{property} SKIPPED"
+              Inspec::Log.debug "CloudFormation::Generate.parse_generate #{cfn_res_type} inspec_property = #{property} SKIPPED"
             end
           end
           ctrl.add_test(describe)
           generated_controls.push(ctrl)
         else
-          Inspec::Log.debug "CloudFormation.parse_generate cfn_res_type = #{cfn_res_type} SKIPPED"
+          Inspec::Log.debug "CloudFormation::Generate.parse_generate cfn_res_type = #{cfn_res_type} SKIPPED"
         end
       end
-      Inspec::Log.debug "CloudFormation.parse_generate generated_controls = #{generated_controls}"
+      Inspec::Log.debug "CloudFormation::Generate.parse_generate generated_controls = #{generated_controls}"
       generated_controls
     end
   end

data/lib/inspec-iggy/inspec_helper.rb

@@ -2,11 +2,19 @@
 
 require 'inspec'
 
+require 'inspec-iggy/platforms/aws_helper'
+require 'inspec-iggy/platforms/azure_helper'
+require 'inspec-iggy/platforms/gcp_helper'
+
 module InspecPlugins
   module Iggy
     class InspecHelper
-      # constants for the InSpec resources
-      RESOURCES = Inspec::Resource.registry.keys
+      @inspec_resources = Inspec::Resource.registry.keys
+
+      # list of resources available from InSpec
+      def self.available_resources
+        @inspec_resources
+      end
 
       # translate Terraform resource name to InSpec
       TRANSLATED_RESOURCES = {
@@ -18,10 +26,429 @@ module InspecPlugins
         # 'aws_route' => 'aws_route_table' # needs route_table_id instead of id
       }.freeze
 
+      def self.available_resource_qualifiers(platform)
+        case platform
+        when 'aws'
+          InspecPlugins::Iggy::Platforms::AwsHelper::AWS_RESOURCE_QUALIFIERS
+        when 'azure'
+          InspecPlugins::Iggy::Platforms::AzureHelper::AZURE_RESOURCE_QUALIFIERS
+        when 'gcp'
+          InspecPlugins::Iggy::Platforms::GcpHelper::GCP_RESOURCE_QUALIFIERS
+        end
+      end
+
+      def self.available_resource_iterators(platform)
+        case platform
+        when 'aws'
+          InspecPlugins::Iggy::Platforms::AwsHelper::AWS_RESOURCE_ITERATORS
+        when 'azure'
+          InspecPlugins::Iggy::Platforms::AzureHelper::AZURE_RESOURCE_ITERATORS
+        when 'gcp'
+          InspecPlugins::Iggy::Platforms::GcpHelper::GCP_RESOURCE_ITERATORS
+        end
+      end
+
+      # manually maintained common methods we don't want to test InSpec properties
+      REMOVED_COMMON_PROPERTIES = [
+        :!,
+        :!=,
+        :!~,
+        :<=>,
+        :==,
+        :===,
+        :=~,
+        :__binding__,
+        :__id__,
+        :__send__,
+        :check_supports,
+        :class,
+        :clone,
+        :dclone,
+        :define_singleton_method,
+        :display,
+        :dup,
+        :enum_for,
+        :eql?,
+        :equal?,
+        :extend,
+        :fail_resource,
+        :freeze,
+        :frozen?,
+        :hash,
+        :inspec,
+        :inspect,
+        :instance_eval,
+        :instance_exec,
+        :instance_of?,
+        :instance_variable_defined?,
+        :instance_variable_get,
+        :instance_variable_set,
+        :instance_variables,
+        :is_a?,
+        :itself,
+        :kind_of?,
+        :method,
+        :methods,
+        :nil?,
+        :object_id,
+        :pretty_inspect,
+        :pretty_print,
+        :pretty_print_cycle,
+        :pretty_print_inspect,
+        :pretty_print_instance_variables,
+        :private_methods,
+        :protected_methods,
+        :pry,
+        :public_method,
+        :public_methods,
+        :public_send,
+        :remove_instance_variable,
+        :resource_exception_message,
+        :resource_failed?,
+        :resource_skipped?,
+        :respond_to?,
+        :send,
+        :should,
+        :should_not,
+        :singleton_class,
+        :singleton_method,
+        :singleton_methods,
+        :skip_resource,
+        :taint,
+        :tainted?,
+        :tap,
+        :then,
+        :to_enum,
+        :to_json,
+        :to_s,
+        :to_yaml,
+        :trust,
+        :untaint,
+        :untrust,
+        :untrusted?,
+        :yield_self
+      ].freeze
+
+      # properties are often dynamically generated, making it hard to determine
+      # their existence without instantiating them. Because of this, we will
+      # maintain a manual list for now
+      ADDITIONAL_COMMON_PROPERTIES = [
+        # :backend_service, # documented but undefined
+        # :id, #disabled for GCP
+        # :ip_version, # documented but undefined
+        # :network, # documented but undefined
+        # :subnetwork, # documented but undefined
+        :addons_config,
+        :address_type,
+        :address,
+        :aggregation_alignment_period,
+        :aggregation_cross_series_reducer,
+        :aggregation_per_series_aligner,
+        :allowed,
+        :archive_size_bytes,
+        :auto_create_subnetworks,
+        :available_cpu_platforms,
+        :available_memory_mb,
+        :backend_service,
+        :backup_pool,
+        :base_instance_name,
+        :can_ip_forward,
+        :check_interval_sec,
+        :cluster_ipv4_cidr,
+        :combiner,
+        :common_instance_metadata,
+        :condition_threshold_value,
+        :conditions,
+        :config,
+        :cpu_platform,
+        :create_time_date,
+        :create_time,
+        :creation_record,
+        :creation_timestamp_date,
+        :creation_timestamp,
+        :crypto_key_name,
+        :crypto_key_url,
+        :current_actions,
+        :current_master_version,
+        :current_node_count,
+        :current_node_version,
+        :custom_features,
+        :dataset_id,
+        :dataset,
+        :default_exempted_members,
+        :default_service_account,
+        :default_types,
+        :deletion_protection,
+        :description,
+        :detailed_status,
+        :direction,
+        :disabled,
+        :disk_encryption_key,
+        :disk_size_gb,
+        :disks,
+        :display_name,
+        :dns_name,
+        :dnssec_config,
+        :enabled_features,
+        :enabled,
+        :endpoint,
+        :entry_point,
+        :environment_variables,
+        :etag,
+        :expire_time,
+        :failover_ratio,
+        :family,
+        :filename,
+        :filter,
+        :fingerprint,
+        :friendly_name,
+        :gateway_address,
+        :guest_accelerators,
+        :guest_os_features,
+        :health_check,
+        :healthy_threshold,
+        :host,
+        :ignored_files,
+        :ike_version,
+        :included_files,
+        :included_permissions,
+        :initial_cluster_version,
+        :initial_node_count,
+        :instance_group_urls,
+        :instance_group,
+        :instance_template,
+        :ip_address,
+        :ip_cidr_range,
+        :ip_protocol,
+        :ip_version,
+        :key_ring_name,
+        :key_ring_url,
+        :key_signing_key_algorithm,
+        :kind,
+        :kms_key_name,
+        :label_fingerprint,
+        :label_value_by_key,
+        :labels_keys,
+        :labels_values,
+        :labels,
+        :last_attach_timestamp,
+        :last_detach_timestamp,
+        :last_modified_time,
+        :legacy_abac,
+        :licenses,
+        :lifecycle_state,
+        :load_balancing_scheme,
+        :local_traffic_selector,
+        :location,
+        :logging_service,
+        :machine_type,
+        :managed_zone,
+        :management,
+        :master_auth,
+        :members,
+        :metadata_keys,
+        :metadata_value_by_key,
+        :metadata_values,
+        :metadata,
+        :min_cpu_platform,
+        :monitoring_service,
+        :mutation_record,
+        :name_servers,
+        :family,
+        :filename,
+        :filter,
+        :fingerprint,
+        :friendly_name,
+        :gateway_address,
+        :guest_accelerators,
+        :guest_os_features,
+        :health_check,
+        :healthy_threshold,
+        :host,
+        :ignored_files,
+        :ike_version,
+        :included_files,
+        :included_permissions,
+        :initial_cluster_version,
+        :initial_node_count,
+        :instance_group_urls,
+        :instance_group,
+        :instance_template,
+        :ip_address,
+        :ip_cidr_range,
+        :ip_protocol,
+        :ip_version,
+        :key_ring_name,
+        :key_ring_url,
+        :key_signing_key_algorithm,
+        :kind,
+        :kms_key_name,
+        :label_fingerprint,
+        :label_value_by_key,
+        :labels_keys,
+        :labels_values,
+        :labels,
+        :last_attach_timestamp,
+        :last_detach_timestamp,
+        :last_modified_time,
+        :legacy_abac,
+        :licenses,
+        :lifecycle_state,
+        :load_balancing_scheme,
+        :local_traffic_selector,
+        :location,
+        :logging_service,
+        :machine_type,
+        :managed_zone,
+        :management,
+        :master_auth,
+        :members,
+        :metadata_keys,
+        :metadata_value_by_key,
+        :metadata_values,
+        :metadata,
+        :min_cpu_platform,
+        :monitoring_service,
+        :mutation_record,
+        :name_servers,
+        :name,
+        :named_ports,
+        :network_interfaces,
+        :network,
+        :next_hop_gateway,
+        :next_hop_instance,
+        :next_hop_ip,
+        :next_hop_network,
+        :next_hop_vpn_tunnel,
+        :next_rotation_time_date,
+        :next_rotation_time,
+        :node_config,
+        :node_ipv4_cidr_size,
+        :node_pools,
+        :num_bytes,
+        :num_long_term_bytes,
+        :num_rows,
+        :output_version_format,
+        :parent,
+        :peer_ip,
+        :physical_block_size_bytes,
+        :port_range,
+        :port,
+        :ports,
+        :primary_create_time,
+        :primary_create_time_date,
+        :primary_name,
+        :primary_state,
+        :priority,
+        :private_ip_google_access,
+        :private_key,
+        :profile,
+        :project_id,
+        :project_number,
+        :protocol,
+        :proxy_header,
+        :purpose,
+        :quic_override,
+        :quotas,
+        :raw_disk,
+        :raw_key,
+        :region_name,
+        :region,
+        :remote_traffic_selector,
+        :request_path,
+        :rotation_period,
+        :router,
+        :routing_config,
+        :runtime,
+        :scheduling,
+        :self_link,
+        :service_account_email,
+        :service_accounts,
+        :service,
+        :services_ipv4_cidr,
+        :session_affinity,
+        :sha256,
+        :shared_secret_hash,
+        :shared_secret,
+        :size_gb,
+        :source_archive_url,
+        :source_disk,
+        :source_image_encryption_key,
+        :source_image_id,
+        :source_image,
+        :source_ranges,
+        :source_snapshot_encryption_key,
+        :source_snapshot_id,
+        :source_snapshot,
+        :source_type,
+        :source_upload_url,
+        :ssl_certificates,
+        :ssl_policy,
+        :stage,
+        :start_restricted,
+        :status,
+        :storage_bytes,
+        :subnetwork,
+        :substitutions,
+        :table_id,
+        :table_reference,
+        :tags,
+        :target_pools,
+        :target_size,
+        :target_tags,
+        :target_vpn_gateway,
+        :target,
+        :timeout_sec,
+        :timeout,
+        :title,
+        :ttl,
+        :type,
+        :unhealthy_threshold,
+        :update_time,
+        :url_map,
+        :users,
+        :version_id,
+        :version,
+        :writer_identity,
+        :xpn_project_status,
+        :zone_signing_key_algorithm,
+        :zone
+      ].freeze
+
+      # load the resource pack into InSpec::Resource.registry
+      def self.load_resource_pack(resource_path)
+        # find the libraries path in the resource pack
+        if resource_path.end_with?('libraries')
+          libpath = resource_path
+        else
+          libpath = resource_path+'/libraries'
+        end
+        $LOAD_PATH.push(libpath)
+        # find all the classes in the libpath and require them
+        # this adds them to the Inspec::Resource.registry
+        Dir.glob("#{libpath}/*.rb").each do |x|
+          begin
+            require(x)
+          rescue Exception =>e # rubocop:disable Lint/RescueException AWS is blowing up for some reason
+            puts e
+          end
+        end
+        @inspec_resources = Inspec::Resource.registry.keys
+      end
+
       # there really should be some way to get this directly from InSpec's resources
-      def self.resource_properties(resource)
+      def self.resource_properties(resource, platform)
         # remove the common methods, in theory only leaving only unique InSpec properties
-        inspec_properties = Inspec::Resource.registry[resource].instance_methods - COMMON_PROPERTIES
+        inspec_properties = Inspec::Resource.registry[resource].instance_methods + ADDITIONAL_COMMON_PROPERTIES
+        inspec_properties -= REMOVED_COMMON_PROPERTIES
+        case platform
+        when 'aws'
+          inspec_properties -= InspecPlugins::Iggy::Platforms::AwsHelper::AWS_REMOVED_PROPERTIES[resource] unless InspecPlugins::Iggy::Platforms::AwsHelper::AWS_REMOVED_PROPERTIES[resource].nil?
+        when 'azure'
+          inspec_properties -= InspecPlugins::Iggy::Platforms::AzureHelper::AZURE_REMOVED_PROPERTIES[resource] unless InspecPlugins::Iggy::Platforms::AzureHelper::AZURE_REMOVED_PROPERTIES[resource].nil?
+        when 'gcp'
+          inspec_properties -= InspecPlugins::Iggy::Platforms::GcpHelper::GCP_REMOVED_PROPERTIES[resource] unless InspecPlugins::Iggy::Platforms::GcpHelper::GCP_REMOVED_PROPERTIES[resource].nil?
+        end
         # get InSpec properties by method names
         inspec_properties.collect!(&:to_s)
         Inspec::Log.debug "InspecHelper.resource_properties #{resource} properties = #{inspec_properties}"
@@ -29,13 +456,21 @@ module InspecPlugins
         inspec_properties
       end
 
-      def self.tf_controls(title, generated_controls)
-        content = "# encoding: utf-8\n#\n\n"
+      def self.tf_controls(title, generated_controls, platform)
+        content = "title \"#{title}: generated by Iggy v#{Iggy::VERSION}\"\n"
 
-        content += "title \"#{title}: generated by Iggy v#{Iggy::VERSION}\"\n"
+        content += InspecPlugins::Iggy::Platforms::AwsHelper.tf_controls if platform.eql?('aws')
 
         # write all controls
-        content + generated_controls.flatten.map(&:to_ruby).join("\n\n")
+        generated_controls.flatten.each do |control|
+          if control.class.eql?(Inspec::Control)
+            content += control.to_ruby
+            content += "\n\n"
+          else # this is for embedded iterators in negative tests
+            content += control
+          end
+        end
+        content
       end
 
       def self.cfn_controls(title, generated_controls, stack)
@@ -58,25 +493,6 @@ module InspecPlugins
         controls.gsub!(/\]\"/, '"]')
         content + controls
       end
-
-      # a hack for sure, finds common methods as proxy for InSpec properties
-      COMMON_PROPERTIES = Inspec::Resource.registry['aws_subnet'].instance_methods &
-                          Inspec::Resource.registry['directory'].instance_methods
     end
-
-    # disabled extract functionality
-    # def self.print_commands(extracted_profiles)
-    #   extracted_profiles.keys.each do |cmd|
-    #     type = extracted_profiles[cmd]['type']
-    #     url = extracted_profiles[cmd]['url']
-    #     key_name = extracted_profiles[cmd]['key_name']
-    #     if type == 'aws_instance'
-    #       ip = extracted_profiles[cmd]['public_ip']
-    #       puts "inspec exec #{url} -t ssh://#{ip} -i #{key_name}"
-    #     else
-    #       puts "inspec exec #{url} -t aws://us-west-2"
-    #     end
-    #   end
-    # end
   end
 end