inspec-iggy 0.7.0 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0c6c518efc4c73cf153954ef3080635ce8c026675e910e0a42418f769b252bd7
4
- data.tar.gz: ff777a9136a432e0dcd0fe38b2117199f68ca8b1742d95e5ced6b4393e0628af
3
+ metadata.gz: 33e20f8299008fe7a2756359d27d5eca674877b561fd47b2c29bde26fefe8c46
4
+ data.tar.gz: 806bebc4e3882cf4c85381f33a420fb5c002dd8ce85da17b702e4fdaebd12402
5
5
  SHA512:
6
- metadata.gz: c39d8c8a9b84232b63994e5622198c3e3961652e745eaaebd837908c91ecfca57ecdcd036edc2c9171ac8a0148503b14ff50e42bbc0cae6287b17bb57bc31ed3
7
- data.tar.gz: 69103758e44b2f3de34ed4506f806d443f576ae36716bbe03864cd1fae56d158091bc7efc1bb9b16f8e6dbaa7df588fe80809d39dd77109abb92a34384bf8065
6
+ metadata.gz: 9a1e5315a0bb9019f83106985fbc823717bf36ae695ad9d50e3f56c924d05be04d60c206c47b345e93cbbcb9cd0075d49805ee80a2823ec8906e349ba20f9358
7
+ data.tar.gz: 6761edf494652c5a39ab97fe87aa331a84ded7858cfc5f70e9391a7e825bf6ba02656da1f21ddd4fe492f614293042eff6995e499a02d8c03fe10ffb5aa51b32
data/README.md CHANGED
@@ -2,11 +2,10 @@
2
2
 
3
3
  [![Build Status Master](https://travis-ci.org/mattray/inspec-iggy.svg?branch=master)](https://travis-ci.org/mattray/inspec-iggy)
4
4
 
5
- InSpec-Iggy (InSpec Generate -> "IG" -> "Iggy") is an [InSpec](https://inspec.io) plugin for generating compliance controls and profiles from [Terraform](https://terraform.io) `tfstate` files and [AWS CloudFormation](https://aws.amazon.com/cloudformation/) templates. Iggy generates InSpec controls by mapping Terraform and CloudFormation resources to InSpec resources and exports a profile that may be used from the `inspec` CLI or uploaded to [Chef Automate](https://automate.chef.io/).
5
+ InSpec-Iggy (InSpec Generate -> "IG" -> "Iggy") is an [InSpec](https://inspec.io) plugin for generating compliance controls and profiles from [Terraform](https://terraform.io) `tfstate` files and [AWS CloudFormation](https://aws.amazon.com/cloudformation/) templates. Iggy generates InSpec controls by mapping Terraform and CloudFormation resources to InSpec resources and exports a profile that may be used from the `inspec` CLI and report to [Chef Automate](https://automate.chef.io/).
6
6
 
7
- inspec terraform generate -n myprofile
7
+ inspec terraform generate -n myprofile --platform aws --resourcepath /tmp/inspec-aws
8
8
  inspec exec myprofile -t aws://us-west-2
9
- inspec compliance upload myprofile
10
9
 
11
10
  Iggy was originally a stand-alone CLI inspired by Christoph Hartmann's [inspec-verify-provision](https://github.com/chris-rock/inspec-verify-provision) and the blog post on testing [InSpec for provisioning testing: Verify Terraform setups with InSpec](http://lollyrock.com/articles/inspec-terraform/).
12
11
 
@@ -36,9 +35,11 @@ Written and tested with Ruby 2.6 and InSpec 4.
36
35
 
37
36
  $ inspec plugin install inspec-iggy
38
37
 
38
+ You will need to download the [inspec-aws](https://github.com/inspec/inspec-aws)|[inspec-azure](https://github.com/inspec/inspec-azure)|[inspec-gcp](https://github.com/inspec/inspec-gcp) resources packs as necessary and place them in your path for loading via `--resourcepath`.
39
+
39
40
  # InSpec Terraform Generate<a name="itg"></a>
40
41
 
41
- inspec terraform generate --tfstate terraform.tfstate --name myprofile
42
+ inspec terraform generate --tfstate terraform.tfstate --name myprofile --platform aws --resourcepath /tmp/inspec-aws
42
43
 
43
44
  Iggy dynamically pulls the available Cloud resources from InSpec and attempts to map them to Terraform resources, producing an InSpec profile. ```inspec terraform generate --help``` will show all available options.
44
45
 
@@ -48,6 +49,8 @@ Iggy dynamically pulls the available Cloud resources from InSpec and attempts to
48
49
 
49
50
  -n, --name=NAME Name of profile to be generated (required)
50
51
  -t, [--tfstate=TFSTATE] Specify path to the input terraform.tfstate (default: .)
52
+ --platform=gcp|aws|azure Cloud provider name
53
+ --resourcepath=PATH Location of inspec-gcp|inspec-aws|inspec-azure resources
51
54
  [--copyright=COPYRIGHT] Name of the copyright holder (default: The Authors)
52
55
  [--email=EMAIL] Email address of the author (default: you@example.com)
53
56
  [--license=LICENSE] License for the profile (default: Apache-2.0)
@@ -59,13 +62,11 @@ Iggy dynamically pulls the available Cloud resources from InSpec and attempts to
59
62
  [--debug], [--no-debug] Verbose debugging messages
60
63
  [--log-level=LOG_LEVEL] Set the log level: info (default), debug, warn, error
61
64
  [--log-location=LOG_LOCATION] Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
62
- [--platform=gcp|aws|azure] Cloud provider name
63
- [--resourcepath=INSPEC_CLOUD_RESOURCE_PATH] Location of inspec-gcp|inspec-aws|inspec-azure resources
64
65
  Note: --resourcepath should point to the directory where inspec-<cloud_provider> resource pack is downloaded/cloned from GitHub.
65
66
 
66
67
  # InSpec Terraform Negative<a name="itn"></a>
67
68
 
68
- inspec terraform negative --tfstate terraform.tfstate --name myprofile
69
+ inspec terraform negative --tfstate terraform.tfstate --name myprofile --platform aws --resourcepath /tmp/inspec-aws
69
70
 
70
71
  Iggy dynamically pulls the available Cloud resources from InSpec and attempts to map them to Terraform resources, producing an InSpec profile which are not part of tfstate file. It informs the user that these resources are not part of tfstate file and can be deleted if not needed.```inspec terraform negative --help``` will show all available options.
71
72
 
@@ -75,6 +76,8 @@ Iggy dynamically pulls the available Cloud resources from InSpec and attempts to
75
76
 
76
77
  -n, --name=NAME Name of profile to be generated (required)
77
78
  -t, [--tfstate=TFSTATE] Specify path to the input terraform.tfstate (default: .)
79
+ --platform=gcp|aws|azure Cloud provider name
80
+ --resourcepath=PATH Location of inspec-gcp|inspec-aws|inspec-azure resources
78
81
  [--copyright=COPYRIGHT] Name of the copyright holder (default: The Authors)
79
82
  [--email=EMAIL] Email address of the author (default: you@example.com)
80
83
  [--license=LICENSE] License for the profile (default: Apache-2.0)
@@ -86,8 +89,7 @@ Iggy dynamically pulls the available Cloud resources from InSpec and attempts to
86
89
  [--debug], [--no-debug] Verbose debugging messages
87
90
  [--log-level=LOG_LEVEL] Set the log level: info (default), debug, warn, error
88
91
  [--log-location=LOG_LOCATION] Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
89
- [--platform=gcp|aws|azure] Cloud provider name
90
- [--resourcepath=INSPEC_CLOUD_RESOURCE_PATH] Location of inspec-gcp|inspec-aws|inspec-azure resources
92
+
91
93
  Note: --resourcepath should point to the directory where inspec-<cloud_provider> resource pack is downloaded/cloned from GitHub.
92
94
 
93
95
  # InSpec CloudFormation Generate<a name="icg"></a>
@@ -115,6 +117,12 @@ Iggy supports AWS CloudFormation templates by mapping the AWS resources to InSpe
115
117
  [--log-level=LOG_LEVEL] Set the log level: info (default), debug, warn, error
116
118
  [--log-location=LOG_LOCATION] Location to send diagnostic log messages to. (default: STDOUT or Inspec::Log.error)
117
119
 
120
+ # InSpec Iggy<a name="ii"></a>
121
+
122
+ inspec iggy version
123
+
124
+ This command exists for checking the Iggy plugin version, primarily for debugging purposes.
125
+
118
126
  # Development and Testing<a name="development"></a>
119
127
 
120
128
  The [DESIGN.md](DESIGN.md) file outlines how the code is structured if you wish to extend functionality. We welcome patches, suggestions, and issues.
@@ -127,13 +135,13 @@ To point `inspec` at a local copy of `inspec-iggy` for development, use:
127
135
 
128
136
  ## Testing Iggy
129
137
 
130
- Unit, Functional, and Integration tests are provided, though more are welcome. Iggy uses the Minitest library for testing, using the classic `def test...` syntax. Because Iggy loads InSpec into memory, and InSpec uses RSpec internally, Spec-style testing breaks.
138
+ Unit, Functional, and Integration tests are provided, though more are welcome. Iggy uses the Minitest library for unit testing, using the classic `def test...` syntax. Because Iggy loads InSpec into memory, and InSpec uses RSpec internally, Spec-style testing breaks. For Integration and regression testing Iggy uses InSpec itself for tests (check the Rakefile and [test/inspec](test/inspec) for examples).
131
139
 
132
140
  To run all tests, run
133
141
 
134
142
  $ bundle exec rake test
135
143
 
136
- Linting is also provided via Rubocop.
144
+ Linting is also provided via [Chefstyle](https://github.com/chef/chefstyle).
137
145
 
138
146
  To check for code style issues, run:
139
147
 
@@ -159,6 +159,7 @@ module InspecPlugins
159
159
  # :id, #disabled for GCP
160
160
  # :ip_version, # documented but undefined
161
161
  # :network, # documented but undefined
162
+ # :tags, # returns emtpy hashes when null
162
163
  :addons_config,
163
164
  :address,
164
165
  :address_type,
@@ -167,6 +168,7 @@ module InspecPlugins
167
168
  :aggregation_per_series_aligner,
168
169
  :allowed,
169
170
  :archive_size_bytes,
171
+ :associations,
170
172
  :auto_create_subnetworks,
171
173
  :availability_zone,
172
174
  :availability_zones,
@@ -177,8 +179,13 @@ module InspecPlugins
177
179
  :backup_pool,
178
180
  :base_instance_name,
179
181
  :can_ip_forward,
182
+ :canonical_hosted_zone_id,
183
+ :capabilities,
184
+ :change_set_id,
180
185
  :check_interval_sec,
181
186
  :cidr_block,
187
+ :cloud_watch_logs_log_group_arn,
188
+ :cloud_watch_logs_role_arn,
182
189
  :cluster_ipv4_cidr,
183
190
  :combiner,
184
191
  :common_instance_metadata,
@@ -188,7 +195,9 @@ module InspecPlugins
188
195
  :cpu_platform,
189
196
  :create_time,
190
197
  :create_time_date,
198
+ :created_time,
191
199
  :creation_record,
200
+ :creation_time,
192
201
  :creation_timestamp,
193
202
  :creation_timestamp_date,
194
203
  :crypto_key_name,
@@ -204,10 +213,13 @@ module InspecPlugins
204
213
  :default_service_account,
205
214
  :default_types,
206
215
  :deletion_protection,
216
+ :deletion_time,
207
217
  :description,
218
+ :desired_capacity,
208
219
  :detailed_status,
209
220
  :dhcp_options_id,
210
221
  :direction,
222
+ :disable_rollback,
211
223
  :disabled,
212
224
  :disk_encryption_key,
213
225
  :disk_size_gb,
@@ -215,7 +227,9 @@ module InspecPlugins
215
227
  :display_name,
216
228
  :dns_name,
217
229
  :dnssec_config,
230
+ :drift_information,
218
231
  :ebs_volumes,
232
+ :enable_termination_protection,
219
233
  :enabled,
220
234
  :enabled_features,
221
235
  :endpoint,
@@ -236,7 +250,9 @@ module InspecPlugins
236
250
  :guest_accelerators,
237
251
  :guest_os_features,
238
252
  :health_check,
253
+ :health_check_type,
239
254
  :healthy_threshold,
255
+ :home_region,
240
256
  :host,
241
257
  :ignored_files,
242
258
  :ike_version,
@@ -257,10 +273,12 @@ module InspecPlugins
257
273
  :ip_cidr_range,
258
274
  :ip_protocol,
259
275
  :ip_version,
276
+ :is_multi_region_trail,
260
277
  :key_ring_name,
261
278
  :key_ring_url,
262
279
  :key_signing_key_algorithm,
263
280
  :kind,
281
+ :kms_key_id,
264
282
  :kms_key_name,
265
283
  :label_fingerprint,
266
284
  :label_value_by_key,
@@ -270,24 +288,32 @@ module InspecPlugins
270
288
  :last_attach_timestamp,
271
289
  :last_detach_timestamp,
272
290
  :last_modified_time,
291
+ :last_updated_time,
292
+ :launch_configuration_name,
273
293
  :launch_time,
274
294
  :legacy_abac,
275
295
  :licenses,
276
296
  :lifecycle_state,
297
+ :load_balancer_addresses,
298
+ :load_balancer_arn,
299
+ :load_balancer_name,
277
300
  :load_balancing_scheme,
278
301
  :local_traffic_selector,
279
302
  :location,
303
+ :log_file_validation_enabled,
280
304
  :logging_service,
281
305
  :machine_type,
282
306
  :managed_zone,
283
307
  :management,
284
308
  :master_auth,
309
+ :max_size,
285
310
  :members,
286
311
  :metadata,
287
312
  :metadata_keys,
288
313
  :metadata_value_by_key,
289
314
  :metadata_values,
290
315
  :min_cpu_platform,
316
+ :min_size,
291
317
  :monitoring_service,
292
318
  :mutation_record,
293
319
  :name,
@@ -305,13 +331,18 @@ module InspecPlugins
305
331
  :node_config,
306
332
  :node_ipv4_cidr_size,
307
333
  :node_pools,
334
+ :notification_arns,
308
335
  :num_bytes,
309
336
  :num_long_term_bytes,
310
337
  :num_rows,
311
338
  :outbound_rules,
312
339
  :outbound_rules_count,
313
340
  :output_version_format,
341
+ :outputs,
342
+ :owner_id,
343
+ :parameters,
314
344
  :parent,
345
+ :parent_id,
315
346
  :peer_ip,
316
347
  :physical_block_size_bytes,
317
348
  :port,
@@ -327,6 +358,7 @@ module InspecPlugins
327
358
  :profile,
328
359
  :project_id,
329
360
  :project_number,
361
+ :propagating_vgws,
330
362
  :protocol,
331
363
  :proxy_header,
332
364
  :purpose,
@@ -338,11 +370,17 @@ module InspecPlugins
338
370
  :region_name,
339
371
  :remote_traffic_selector,
340
372
  :request_path,
373
+ :role_arn,
374
+ :rollback_configuration,
375
+ :root_id,
341
376
  :rotation_period,
342
377
  :router,
378
+ :routes,
343
379
  :routing_config,
344
380
  :runtime,
381
+ :s3_bucket_name,
345
382
  :scheduling,
383
+ :scheme,
346
384
  :security_group_ids,
347
385
  :security_groups,
348
386
  :self_link,
@@ -368,6 +406,10 @@ module InspecPlugins
368
406
  :source_upload_url,
369
407
  :ssl_certificates,
370
408
  :ssl_policy,
409
+ :stack_id,
410
+ :stack_name,
411
+ :stack_status,
412
+ :stack_status_reason,
371
413
  :stage,
372
414
  :start_restricted,
373
415
  :state,
@@ -375,19 +417,22 @@ module InspecPlugins
375
417
  :storage_bytes,
376
418
  :subnet_id,
377
419
  :subnet_ids,
420
+ :subnets,
378
421
  :subnetwork,
379
422
  :substitutions,
380
423
  :table_id,
381
424
  :table_reference,
382
- :tags,
383
425
  :target,
384
426
  :target_pools,
385
427
  :target_size,
386
428
  :target_tags,
387
429
  :target_vpn_gateway,
388
430
  :timeout,
431
+ :timeout_in_minutes,
389
432
  :timeout_sec,
390
433
  :title,
434
+ :trail_arn,
435
+ :trail_name,
391
436
  :ttl,
392
437
  :type,
393
438
  :unhealthy_threshold,
@@ -397,9 +442,11 @@ module InspecPlugins
397
442
  :version,
398
443
  :version_id,
399
444
  :vpc_id,
445
+ :vpc_zone_identifier,
400
446
  :writer_identity,
401
447
  :xpn_project_status,
402
448
  :zone,
449
+ :zone_names,
403
450
  :zone_signing_key_algorithm,
404
451
  ].freeze
405
452
 
@@ -7,8 +7,12 @@ module InspecPlugins::Iggy::Platforms
7
7
  # find the additional parameters for the 'describe'.
8
8
  # NOTE: the first entry is going to map to the 'id' from the .tfstate file
9
9
  AWS_RESOURCE_QUALIFIERS = {
10
+ "aws_alb" => %i{load_balancer_name},
11
+ "aws_cloudformation_stack" => %i{stack_id},
12
+ "aws_cloudtrail_trail" => %i{trail_name},
10
13
  "aws_ec2_instance" => %i{instance_id},
11
14
  "aws_elb" => %i{load_balancer_name},
15
+ "aws_route_table" => %i{route_table_id},
12
16
  "aws_security_group" => %i{group_id vpc_id},
13
17
  "aws_subnet" => %i{subnet_id},
14
18
  "aws_vpc" => %i{vpc_id},
@@ -16,19 +20,25 @@ module InspecPlugins::Iggy::Platforms
16
20
 
17
21
  # the iterators for the various resource types
18
22
  AWS_RESOURCE_ITERATORS = {
23
+ "aws_auto_scaling_group" => { "iterator" => "aws_auto_scaling_groups", "index" => "names" },
24
+ "aws_cloudtrail_trail" => { "iterator" => "aws_cloudtrail_trails", "index" => "names" },
19
25
  "aws_ec2_instance" => { "iterator" => "aws_ec2_instances", "index" => "instance_ids", "qualifiers" => [:vpc_id] },
20
26
  "aws_elb" => { "iterator" => "aws_elbs", "index" => "load_balancer_names", "qualifiers" => [:vpc_id] },
27
+ "aws_route_table" => { "iterator" => "aws_route_tables", "index" => "route_table_ids", "qualifiers" => [:vpc_id] },
21
28
  "aws_security_group" => { "iterator" => "aws_security_groups", "index" => "group_ids", "qualifiers" => [:vpc_id] },
22
29
  "aws_subnet" => { "iterator" => "aws_subnets", "index" => "subnet_ids", "qualifiers" => [:vpc_id] },
23
30
  "aws_vpc" => { "iterator" => "aws_vpcs", "index" => "vpc_ids" },
24
31
  }.freeze
25
32
 
26
33
  AWS_REMOVED_PROPERTIES = {
27
- "aws_elb" => %i{health_check security_groups}, # not sure how to test this yet
28
34
  "aws_ec2_instance" => %i{security_groups}, # not sure how to test this yet
35
+ "aws_elb" => %i{health_check security_groups}, # not sure how to test this yet
36
+ "aws_security_group" => %i{owner_id tags}, # tags are {} instead of nil
29
37
  }.freeze
30
38
 
31
39
  AWS_TRANSLATED_RESOURCE_PROPERTIES = {
40
+ "aws_alb" => { "name" => "load_balancer_name" },
41
+ "aws_cloudtrail_trail" => { "name" => "trail_name" },
32
42
  "aws_elb" => { "name" => "load_balancer_name" },
33
43
  "aws_security_group" => { "name" => "group_name" },
34
44
  }.freeze
@@ -61,9 +61,11 @@ module InspecPlugins::Iggy
61
61
  default: "terraform.tfstate"
62
62
 
63
63
  class_option :platform,
64
+ required: true,
64
65
  desc: "The InSpec platform providing the necessary resources (aws, azure, or gcp)"
65
66
 
66
67
  class_option :resourcepath,
68
+ required: true,
67
69
  desc: "Specify path to the InSpec Resource Pack providing the necessary resources"
68
70
 
69
71
  desc "generate [options]", "Generate InSpec compliance controls from terraform.tfstate"
@@ -2,6 +2,6 @@
2
2
 
3
3
  module InspecPlugins
4
4
  module Iggy
5
- VERSION = "0.7.0".freeze
5
+ VERSION = "0.8.0".freeze
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec-iggy
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.7.0
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Matt Ray
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-12-16 00:00:00.000000000 Z
11
+ date: 2019-12-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: inspec