RubyGems - inspec-iggy - Versions diffs - 0.7.0 → 0.8.0 - Mend

inspec-iggy 0.7.0 → 0.8.0

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +19 -11
data/lib/inspec-iggy/inspec_helper.rb +48 -1
data/lib/inspec-iggy/platforms/aws_helper.rb +11 -1
data/lib/inspec-iggy/terraform/cli_command.rb +2 -0
data/lib/inspec-iggy/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0c6c518efc4c73cf153954ef3080635ce8c026675e910e0a42418f769b252bd7
-  data.tar.gz: ff777a9136a432e0dcd0fe38b2117199f68ca8b1742d95e5ced6b4393e0628af
+  metadata.gz: 33e20f8299008fe7a2756359d27d5eca674877b561fd47b2c29bde26fefe8c46
+  data.tar.gz: 806bebc4e3882cf4c85381f33a420fb5c002dd8ce85da17b702e4fdaebd12402
 SHA512:
-  metadata.gz: c39d8c8a9b84232b63994e5622198c3e3961652e745eaaebd837908c91ecfca57ecdcd036edc2c9171ac8a0148503b14ff50e42bbc0cae6287b17bb57bc31ed3
-  data.tar.gz: 69103758e44b2f3de34ed4506f806d443f576ae36716bbe03864cd1fae56d158091bc7efc1bb9b16f8e6dbaa7df588fe80809d39dd77109abb92a34384bf8065
+  metadata.gz: 9a1e5315a0bb9019f83106985fbc823717bf36ae695ad9d50e3f56c924d05be04d60c206c47b345e93cbbcb9cd0075d49805ee80a2823ec8906e349ba20f9358
+  data.tar.gz: 6761edf494652c5a39ab97fe87aa331a84ded7858cfc5f70e9391a7e825bf6ba02656da1f21ddd4fe492f614293042eff6995e499a02d8c03fe10ffb5aa51b32

data/README.md CHANGED

@@ -2,11 +2,10 @@
 [![Build Status Master](https://travis-ci.org/mattray/inspec-iggy.svg?branch=master)](https://travis-ci.org/mattray/inspec-iggy)
-InSpec-Iggy (InSpec Generate -> "IG" -> "Iggy") is an [InSpec](https://inspec.io) plugin for generating compliance controls and profiles from [Terraform](https://terraform.io) `tfstate` files and [AWS CloudFormation](https://aws.amazon.com/cloudformation/) templates. Iggy generates InSpec controls by mapping Terraform and CloudFormation resources to InSpec resources and exports a profile that may be used from the `inspec` CLI or uploaded to [Chef Automate](https://automate.chef.io/).
+InSpec-Iggy (InSpec Generate -> "IG" -> "Iggy") is an [InSpec](https://inspec.io) plugin for generating compliance controls and profiles from [Terraform](https://terraform.io) `tfstate` files and [AWS CloudFormation](https://aws.amazon.com/cloudformation/) templates. Iggy generates InSpec controls by mapping Terraform and CloudFormation resources to InSpec resources and exports a profile that may be used from the `inspec` CLI and report to [Chef Automate](https://automate.chef.io/).
-    inspec terraform generate -n myprofile
+    inspec terraform generate -n myprofile --platform aws --resourcepath /tmp/inspec-aws
     inspec exec myprofile -t aws://us-west-2
-    inspec compliance upload myprofile
 Iggy was originally a stand-alone CLI inspired by Christoph Hartmann's [inspec-verify-provision](https://github.com/chris-rock/inspec-verify-provision) and the blog post on testing [InSpec for provisioning testing: Verify Terraform setups with InSpec](http://lollyrock.com/articles/inspec-terraform/).
@@ -36,9 +35,11 @@ Written and tested with Ruby 2.6 and InSpec 4.
     $ inspec plugin install inspec-iggy
+You will need to download the [inspec-aws](https://github.com/inspec/inspec-aws)|[inspec-azure](https://github.com/inspec/inspec-azure)|[inspec-gcp](https://github.com/inspec/inspec-gcp) resources packs as necessary and place them in your path for loading via `--resourcepath`.
 # InSpec Terraform Generate<a name="itg"></a>
-    inspec terraform generate --tfstate terraform.tfstate --name myprofile
+    inspec terraform generate --tfstate terraform.tfstate --name myprofile --platform aws --resourcepath /tmp/inspec-aws
 Iggy dynamically pulls the available Cloud resources from InSpec and attempts to map them to Terraform resources, producing an InSpec profile. ```inspec terraform generate --help``` will show all available options.
@@ -48,6 +49,8 @@ Iggy dynamically pulls the available Cloud resources from InSpec and attempts to
      -n, --name=NAME                  Name of profile to be generated (required)
      -t, [--tfstate=TFSTATE]          Specify path to the input terraform.tfstate (default: .)
+     --platform=gcp|aws|azure         Cloud provider name
+     --resourcepath=PATH              Location of inspec-gcp|inspec-aws|inspec-azure resources
      [--copyright=COPYRIGHT]          Name of the copyright holder (default: The Authors)
      [--email=EMAIL]                  Email address of the author (default: you@example.com)
      [--license=LICENSE]              License for the profile (default: Apache-2.0)
@@ -59,13 +62,11 @@ Iggy dynamically pulls the available Cloud resources from InSpec and attempts to
      [--debug], [--no-debug]          Verbose debugging messages
      [--log-level=LOG_LEVEL]          Set the log level: info (default), debug, warn, error
      [--log-location=LOG_LOCATION]    Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
-     [--platform=gcp|aws|azure]       Cloud provider name
-     [--resourcepath=INSPEC_CLOUD_RESOURCE_PATH] Location of inspec-gcp|inspec-aws|inspec-azure resources
      Note: --resourcepath should point to the directory where inspec-<cloud_provider> resource pack is downloaded/cloned from GitHub.
 # InSpec Terraform Negative<a name="itn"></a>
-    inspec terraform negative --tfstate terraform.tfstate --name myprofile
+    inspec terraform negative --tfstate terraform.tfstate --name myprofile --platform aws --resourcepath /tmp/inspec-aws
 Iggy dynamically pulls the available Cloud resources from InSpec and attempts to map them to Terraform resources, producing an InSpec profile which are not part of tfstate file. It informs the user that these resources are not part of tfstate file and can be deleted if not needed.```inspec terraform negative --help``` will show all available options.
@@ -75,6 +76,8 @@ Iggy dynamically pulls the available Cloud resources from InSpec and attempts to
      -n, --name=NAME                  Name of profile to be generated (required)
      -t, [--tfstate=TFSTATE]          Specify path to the input terraform.tfstate (default: .)
+     --platform=gcp|aws|azure         Cloud provider name
+     --resourcepath=PATH              Location of inspec-gcp|inspec-aws|inspec-azure resources
      [--copyright=COPYRIGHT]          Name of the copyright holder (default: The Authors)
      [--email=EMAIL]                  Email address of the author (default: you@example.com)
      [--license=LICENSE]              License for the profile (default: Apache-2.0)
@@ -86,8 +89,7 @@ Iggy dynamically pulls the available Cloud resources from InSpec and attempts to
      [--debug], [--no-debug]          Verbose debugging messages
      [--log-level=LOG_LEVEL]          Set the log level: info (default), debug, warn, error
      [--log-location=LOG_LOCATION]    Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
-     [--platform=gcp|aws|azure]       Cloud provider name
-     [--resourcepath=INSPEC_CLOUD_RESOURCE_PATH] Location of inspec-gcp|inspec-aws|inspec-azure resources
      Note: --resourcepath should point to the directory where inspec-<cloud_provider> resource pack is downloaded/cloned from GitHub.
 # InSpec CloudFormation Generate<a name="icg"></a>
@@ -115,6 +117,12 @@ Iggy supports AWS CloudFormation templates by mapping the AWS resources to InSpe
      [--log-level=LOG_LEVEL]          Set the log level: info (default), debug, warn, error
      [--log-location=LOG_LOCATION]    Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
+# InSpec Iggy<a name="ii"></a>
+    inspec iggy version
+This command exists for checking the Iggy plugin version, primarily for debugging purposes.
 # Development and Testing<a name="development"></a>
 The [DESIGN.md](DESIGN.md) file outlines how the code is structured if you wish to extend functionality. We welcome patches, suggestions, and issues.
@@ -127,13 +135,13 @@ To point `inspec` at a local copy of `inspec-iggy` for development, use:
 ## Testing Iggy
-Unit, Functional, and Integration tests are provided, though more are welcome. Iggy uses the Minitest library for testing, using the classic `def test...` syntax. Because Iggy loads InSpec into memory, and InSpec uses RSpec internally, Spec-style testing breaks.
+Unit, Functional, and Integration tests are provided, though more are welcome. Iggy uses the Minitest library for unit testing, using the classic `def test...` syntax. Because Iggy loads InSpec into memory, and InSpec uses RSpec internally, Spec-style testing breaks. For Integration and regression testing Iggy uses InSpec itself for tests (check the Rakefile and [test/inspec](test/inspec) for examples).
 To run all tests, run
     $ bundle exec rake test
-Linting is also provided via Rubocop.
+Linting is also provided via [Chefstyle](https://github.com/chef/chefstyle).
 To check for code style issues, run:

data/lib/inspec-iggy/inspec_helper.rb CHANGED

@@ -159,6 +159,7 @@ module InspecPlugins
         # :id, #disabled for GCP
         # :ip_version, # documented but undefined
         # :network, # documented but undefined
+        # :tags, # returns emtpy hashes when null
         :addons_config,
         :address,
         :address_type,
@@ -167,6 +168,7 @@ module InspecPlugins
         :aggregation_per_series_aligner,
         :allowed,
         :archive_size_bytes,
+        :associations,
         :auto_create_subnetworks,
         :availability_zone,
         :availability_zones,
@@ -177,8 +179,13 @@ module InspecPlugins
         :backup_pool,
         :base_instance_name,
         :can_ip_forward,
+        :canonical_hosted_zone_id,
+        :capabilities,
+        :change_set_id,
         :check_interval_sec,
         :cidr_block,
+        :cloud_watch_logs_log_group_arn,
+        :cloud_watch_logs_role_arn,
         :cluster_ipv4_cidr,
         :combiner,
         :common_instance_metadata,
@@ -188,7 +195,9 @@ module InspecPlugins
         :cpu_platform,
         :create_time,
         :create_time_date,
+        :created_time,
         :creation_record,
+        :creation_time,
         :creation_timestamp,
         :creation_timestamp_date,
         :crypto_key_name,
@@ -204,10 +213,13 @@ module InspecPlugins
         :default_service_account,
         :default_types,
         :deletion_protection,
+        :deletion_time,
         :description,
+        :desired_capacity,
         :detailed_status,
         :dhcp_options_id,
         :direction,
+        :disable_rollback,
         :disabled,
         :disk_encryption_key,
         :disk_size_gb,
@@ -215,7 +227,9 @@ module InspecPlugins
         :display_name,
         :dns_name,
         :dnssec_config,
+        :drift_information,
         :ebs_volumes,
+        :enable_termination_protection,
         :enabled,
         :enabled_features,
         :endpoint,
@@ -236,7 +250,9 @@ module InspecPlugins
         :guest_accelerators,
         :guest_os_features,
         :health_check,
+        :health_check_type,
         :healthy_threshold,
+        :home_region,
         :host,
         :ignored_files,
         :ike_version,
@@ -257,10 +273,12 @@ module InspecPlugins
         :ip_cidr_range,
         :ip_protocol,
         :ip_version,
+        :is_multi_region_trail,
         :key_ring_name,
         :key_ring_url,
         :key_signing_key_algorithm,
         :kind,
+        :kms_key_id,
         :kms_key_name,
         :label_fingerprint,
         :label_value_by_key,
@@ -270,24 +288,32 @@ module InspecPlugins
         :last_attach_timestamp,
         :last_detach_timestamp,
         :last_modified_time,
+        :last_updated_time,
+        :launch_configuration_name,
         :launch_time,
         :legacy_abac,
         :licenses,
         :lifecycle_state,
+        :load_balancer_addresses,
+        :load_balancer_arn,
+        :load_balancer_name,
         :load_balancing_scheme,
         :local_traffic_selector,
         :location,
+        :log_file_validation_enabled,
         :logging_service,
         :machine_type,
         :managed_zone,
         :management,
         :master_auth,
+        :max_size,
         :members,
         :metadata,
         :metadata_keys,
         :metadata_value_by_key,
         :metadata_values,
         :min_cpu_platform,
+        :min_size,
         :monitoring_service,
         :mutation_record,
         :name,
@@ -305,13 +331,18 @@ module InspecPlugins
         :node_config,
         :node_ipv4_cidr_size,
         :node_pools,
+        :notification_arns,
         :num_bytes,
         :num_long_term_bytes,
         :num_rows,
         :outbound_rules,
         :outbound_rules_count,
         :output_version_format,
+        :outputs,
+        :owner_id,
+        :parameters,
         :parent,
+        :parent_id,
         :peer_ip,
         :physical_block_size_bytes,
         :port,
@@ -327,6 +358,7 @@ module InspecPlugins
         :profile,
         :project_id,
         :project_number,
+        :propagating_vgws,
         :protocol,
         :proxy_header,
         :purpose,
@@ -338,11 +370,17 @@ module InspecPlugins
         :region_name,
         :remote_traffic_selector,
         :request_path,
+        :role_arn,
+        :rollback_configuration,
+        :root_id,
         :rotation_period,
         :router,
+        :routes,
         :routing_config,
         :runtime,
+        :s3_bucket_name,
         :scheduling,
+        :scheme,
         :security_group_ids,
         :security_groups,
         :self_link,
@@ -368,6 +406,10 @@ module InspecPlugins
         :source_upload_url,
         :ssl_certificates,
         :ssl_policy,
+        :stack_id,
+        :stack_name,
+        :stack_status,
+        :stack_status_reason,
         :stage,
         :start_restricted,
         :state,
@@ -375,19 +417,22 @@ module InspecPlugins
         :storage_bytes,
         :subnet_id,
         :subnet_ids,
+        :subnets,
         :subnetwork,
         :substitutions,
         :table_id,
         :table_reference,
-        :tags,
         :target,
         :target_pools,
         :target_size,
         :target_tags,
         :target_vpn_gateway,
         :timeout,
+        :timeout_in_minutes,
         :timeout_sec,
         :title,
+        :trail_arn,
+        :trail_name,
         :ttl,
         :type,
         :unhealthy_threshold,
@@ -397,9 +442,11 @@ module InspecPlugins
         :version,
         :version_id,
         :vpc_id,
+        :vpc_zone_identifier,
         :writer_identity,
         :xpn_project_status,
         :zone,
+        :zone_names,
         :zone_signing_key_algorithm,
       ].freeze

data/lib/inspec-iggy/platforms/aws_helper.rb CHANGED

@@ -7,8 +7,12 @@ module InspecPlugins::Iggy::Platforms
     # find the additional parameters for the 'describe'.
     # NOTE: the first entry is going to map to the 'id' from the .tfstate file
     AWS_RESOURCE_QUALIFIERS = {
+      "aws_alb" => %i{load_balancer_name},
+      "aws_cloudformation_stack" => %i{stack_id},
+      "aws_cloudtrail_trail" => %i{trail_name},
       "aws_ec2_instance" => %i{instance_id},
       "aws_elb" => %i{load_balancer_name},
+      "aws_route_table" => %i{route_table_id},
       "aws_security_group" => %i{group_id vpc_id},
       "aws_subnet" => %i{subnet_id},
       "aws_vpc" => %i{vpc_id},
@@ -16,19 +20,25 @@ module InspecPlugins::Iggy::Platforms
     # the iterators for the various resource types
     AWS_RESOURCE_ITERATORS = {
+      "aws_auto_scaling_group" => { "iterator" => "aws_auto_scaling_groups", "index" => "names" },
+      "aws_cloudtrail_trail" => { "iterator" => "aws_cloudtrail_trails", "index" => "names" },
       "aws_ec2_instance" => { "iterator" => "aws_ec2_instances", "index" => "instance_ids", "qualifiers" => [:vpc_id] },
       "aws_elb" => { "iterator" => "aws_elbs", "index" => "load_balancer_names", "qualifiers" => [:vpc_id] },
+      "aws_route_table" => { "iterator" => "aws_route_tables", "index" => "route_table_ids", "qualifiers" => [:vpc_id] },
       "aws_security_group" => { "iterator" => "aws_security_groups", "index" => "group_ids", "qualifiers" => [:vpc_id] },
       "aws_subnet" => { "iterator" => "aws_subnets", "index" => "subnet_ids", "qualifiers" => [:vpc_id] },
       "aws_vpc" => { "iterator" => "aws_vpcs", "index" => "vpc_ids" },
     }.freeze
     AWS_REMOVED_PROPERTIES = {
-      "aws_elb" => %i{health_check security_groups}, # not sure how to test this yet
       "aws_ec2_instance" => %i{security_groups}, # not sure how to test this yet
+      "aws_elb" => %i{health_check security_groups}, # not sure how to test this yet
+      "aws_security_group" => %i{owner_id tags}, # tags are {} instead of nil
     }.freeze
     AWS_TRANSLATED_RESOURCE_PROPERTIES = {
+      "aws_alb" => { "name" => "load_balancer_name" },
+      "aws_cloudtrail_trail" => { "name" => "trail_name" },
       "aws_elb" => { "name" => "load_balancer_name" },
       "aws_security_group" => { "name" => "group_name" },
     }.freeze

data/lib/inspec-iggy/terraform/cli_command.rb CHANGED

@@ -61,9 +61,11 @@ module InspecPlugins::Iggy
                    default: "terraform.tfstate"
       class_option :platform,
+                   required: true,
                    desc: "The InSpec platform providing the necessary resources (aws, azure, or gcp)"
       class_option :resourcepath,
+                   required: true,
                    desc: "Specify path to the InSpec Resource Pack providing the necessary resources"
       desc "generate [options]", "Generate InSpec compliance controls from terraform.tfstate"

data/lib/inspec-iggy/version.rb CHANGED

@@ -2,6 +2,6 @@
 module InspecPlugins
   module Iggy
-    VERSION = "0.7.0".freeze
+    VERSION = "0.8.0".freeze
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-iggy
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Matt Ray
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-12-16 00:00:00.000000000 Z
+date: 2019-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inspec