diff --git a/README.md b/README.md index 59a0bab6..039a3e2a 100644 --- a/README.md +++ b/README.md @@ -367,6 +367,7 @@ The following resources are available in the InSpec GCP Profile | [google_runtime_config_config_iam_policy](docs/resources/google_runtime_config_config_iam_policy.md) | No Plural Resource | | [google_runtime_config_variable](docs/resources/google_runtime_config_variable.md) | [google_runtime_config_variables](docs/resources/google_runtime_config_variables.md) | | [google_secret_manager_secret](docs/resources/google_secret_manager_secret.md) | [google_secret_manager_secrets](docs/resources/google_secret_manager_secrets.md) | +| [google_secret_manage_regional_secret](docs/resources/google_secret_manager_regional_secret.md) | [google_secret_manager_regional_secrets](docs/resources/google_secret_manager_regional_secrets.md) | | [google_service_account](docs/resources/google_service_account.md) | [google_service_accounts](docs/resources/google_service_accounts.md) | | No Singular Resource | [google_service_networking_service_connections](docs/resources/google_service_networking_service_connections.md) | | [google_service_account_key](docs/resources/google_service_account_key.md) | [google_service_account_keys](docs/resources/google_service_account_keys.md) | diff --git a/docs/resources/google_secret_manager_regional_secret.md b/docs/resources/google_secret_manager_regional_secret.md new file mode 100644 index 00000000..0f8c701f --- /dev/null +++ b/docs/resources/google_secret_manager_regional_secret.md @@ -0,0 +1,63 @@ +--- +title: About the google_secret_manager_regional_secret resource +platform: gcp +--- + +## Syntax +A `google_secret_manager_regional_secret` is used to test a Google Regional Secret resource + +## Examples +``` +describe google_secret_manager_regional_secret(name: 'projects//locations//secrets/', region: 'value_region') do + it { should exist } + +end + +describe google_secret_manager_regional_secret(name: "does_not_exit", region: 'value_region') do + it { should_not exist } +end +``` + +## Properties +Properties that can be accessed from the `google_secret_manager_regional_secret` resource: + + + * `name`: The resource name of the Regional Secret. Format: `projects/{{project}}/locations/{{location}}/secrets/{{secret_id}}` + + * `create_time`: The time at which the Regional Secret was created. + + * `labels`: The labels assigned to this Regional Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62} Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63} No more than 64 labels can be assigned to a given resource. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. + + * `annotations`: Custom metadata about the regional secret. + Annotations are distinct from various forms of labels. Annotations exist to allow + client tools to store their own state information without requiring a database. + Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of + maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and + may have dashes (-), underscores (_), dots (.), and alphanumerics in between these + symbols. + The total size of annotation keys and values must be less than 16KiB. + + * `customer_managed_encryption`: Customer Managed Encryption for the secret. + + * `kms_key_name`: Describes the Cloud KMS encryption key that will be used to protect destination secret. + + * `topics`: A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions. + + * `name`: The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*. For publication to succeed, the Secret Manager Service Agent service account must have pubsub.publisher permissions on the topic. + + * `expire_time`: Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `ttl`: The TTL for the Secret. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". + + * `version_destroy_ttl`: Secret Version TTL after destruction request. This is a part of the delayed delete feature on Secret Version. For secret with versionDestroyTtl>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and the actual destruction happens after this TTL expires. It must be atleast 24h. + + * `rotation`: The rotation time and period for a Secret. At `next_rotation_time`, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. `topics` must be set to configure rotation. + + * `next_rotation_time`: Timestamp in UTC at which the Secret is scheduled to rotate. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". + + * `rotation_period`: The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years). If rotationPeriod is set, `next_rotation_time` must be set. `next_rotation_time` will be advanced by this period when the service automatically sends rotation notifications. + + +## GCP Permissions + +Ensure the [Secret Manager API](https://console.cloud.google.com/apis/library/secretmanager.googleapis.com/) is enabled for the current project. \ No newline at end of file diff --git a/docs/resources/google_secret_manager_regional_secrets.md b/docs/resources/google_secret_manager_regional_secrets.md new file mode 100644 index 00000000..5911c7e2 --- /dev/null +++ b/docs/resources/google_secret_manager_regional_secrets.md @@ -0,0 +1,37 @@ +--- +title: About the google_secret_manager_regional_secrets resource +platform: gcp +--- + +## Syntax +A `google_secret_manager_regional_secrets` is used to test a Google Regional Secret resource + +## Examples +``` + describe google_secret_manager_regional_secrets(parent: ' value_parent', region: 'value_region') do + it { should exist } + end +``` + +## Properties +Properties that can be accessed from the `google_secret_manager_regional_secrets` resource: + +See [google_secret_manager_regional_secret.md](google_secret_manager_regional_secret.md) for more detailed information + * `names`: an array of `google_secret_manager_regional_secret` name + * `create_times`: an array of `google_secret_manager_regional_secret` create_time + * `annotations`: an array of `google_secret_manager_regional_secret` annotation + * `labels`: an array of `google_secret_manager_regional_secret` labels + * `topics`: an array of `google_secret_manager_regional_secret` topics + * `expire_times`: an array of `google_secret_manager_regional_secret` expire_time + * `ttls`: an array of `google_secret_manager_regional_secret` ttl + * `rotations`: an array of `google_secret_manager_regional_secret` rotation + * `customer_managed_encryptions`: an array of `google_secret_manager_regional_secret` customer_managed_encryption + * `version_destroy_ttl`: an array of `google_secret_manager_regional_secret` version_destroy_ttl + +## Filter Criteria +This resource supports all of the above properties as filter criteria, which can be used +with `where` as a block or a method. + +## GCP Permissions + +Ensure the [Secret Manager Regional API](https://console.cloud.google.com/apis/library/secretmanager.googleapis.com/) is enabled for the current project. \ No newline at end of file diff --git a/libraries/google/secretmanagerregional/property/secret_customer_managed_encryption.rb b/libraries/google/secretmanagerregional/property/secret_customer_managed_encryption.rb new file mode 100644 index 00000000..19314c4b --- /dev/null +++ b/libraries/google/secretmanagerregional/property/secret_customer_managed_encryption.rb @@ -0,0 +1,42 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +module GoogleInSpec + module SecretManagerRegional + module Property + class SecretCustomerManagedEncryption + attr_reader :kms_key_name + + def initialize(args = nil, parent_identifier = nil) + return if args.nil? + @parent_identifier = parent_identifier + @kms_key_name = args['kmsKeyName'] + end + + def to_s + "#{@parent_identifier} SecretCustomerManagedEncryption" + end + end + + class SecretCustomerManagedEncryptionArray + def self.parse(value, parent_identifier) + return if value.nil? + return SecretCustomerManagedEncryption.new(value, parent_identifier) unless value.is_a?(::Array) + value.map { |v| SecretCustomerManagedEncryption.new(v, parent_identifier) } + end + end + end + end +end diff --git a/libraries/google/secretmanagerregional/property/secret_rotation.rb b/libraries/google/secretmanagerregional/property/secret_rotation.rb new file mode 100644 index 00000000..2772bfbc --- /dev/null +++ b/libraries/google/secretmanagerregional/property/secret_rotation.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +module GoogleInSpec + module SecretManagerRegional + module Property + class SecretRotation + attr_reader :next_rotation_time + + attr_reader :rotation_period + + def initialize(args = nil, parent_identifier = nil) + return if args.nil? + @parent_identifier = parent_identifier + @next_rotation_time = args['nextRotationTime'] + @rotation_period = args['rotationPeriod'] + end + + def to_s + "#{@parent_identifier} SecretRotation" + end + end + end + end +end diff --git a/libraries/google/secretmanagerregional/property/secret_topics.rb b/libraries/google/secretmanagerregional/property/secret_topics.rb new file mode 100644 index 00000000..696ed3a6 --- /dev/null +++ b/libraries/google/secretmanagerregional/property/secret_topics.rb @@ -0,0 +1,42 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +module GoogleInSpec + module SecretManagerRegional + module Property + class SecretTopics + attr_reader :name + + def initialize(args = nil, parent_identifier = nil) + return if args.nil? + @parent_identifier = parent_identifier + @name = args['name'] + end + + def to_s + "#{@parent_identifier} SecretTopics" + end + end + + class SecretTopicsArray + def self.parse(value, parent_identifier) + return if value.nil? + return SecretTopics.new(value, parent_identifier) unless value.is_a?(::Array) + value.map { |v| SecretTopics.new(v, parent_identifier) } + end + end + end + end +end diff --git a/libraries/google_secret_manager_regional_secret.rb b/libraries/google_secret_manager_regional_secret.rb new file mode 100644 index 00000000..2dec8c8b --- /dev/null +++ b/libraries/google_secret_manager_regional_secret.rb @@ -0,0 +1,76 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +require 'google/secretmanagerregional/property/secret_customer_managed_encryption' +require 'google/secretmanagerregional/property/secret_rotation' +require 'google/secretmanagerregional/property/secret_topics' + +# A provider to manage Secret Manager resources. +class SecretManagerRegionalSecret < GcpResourceBase + name 'google_secret_manager_regional_secret' + desc 'Secret' + supports platform: 'gcp' + + attr_reader :params + attr_reader :name + attr_reader :create_time + attr_reader :annotations + attr_reader :labels + attr_reader :topics + attr_reader :expire_time + attr_reader :customer_managed_encryption + attr_reader :version_destroy_ttl + attr_reader :version_aliases + attr_reader :rotation + + def initialize(params) + super(params.merge({ use_http_transport: true })) + @params = params + @fetched = @connection.fetch(product_url(params[:beta]), resource_base_url, params, 'Get') + parse unless @fetched.nil? + end + + def parse + @name = @fetched['name'] + @create_time = @fetched['createTime'] + @annotations = @fetched['annotations'] + @labels = @fetched['labels'] + @topics = GoogleInSpec::SecretManagerRegional::Property::SecretTopicsArray.parse(@fetched['topics'], to_s) + @expire_time = @fetched['expireTime'] + @customer_managed_encryption = GoogleInSpec::SecretManagerRegional::Property::SecretCustomerManagedEncryptionArray.parse(@fetched['customerManagedEncryption'], to_s) + @version_destroy_ttl = @fetched['versionDestroyTtl'] + @version_aliases = @fetched['versionAliases'] + @rotation = GoogleInSpec::SecretManagerRegional::Property::SecretRotation.new(@fetched['rotation'], to_s) + end + + def exists? + !@fetched.nil? + end + + def to_s + "Secret #{@params[:name]}" + end + + private + + def product_url(_ = nil) + 'https://secretmanager.{{region}}.rep.googleapis.com/v1/' + end + + def resource_base_url + '{{name}}' + end +end diff --git a/libraries/google_secret_manager_regional_secrets.rb b/libraries/google_secret_manager_regional_secrets.rb new file mode 100644 index 00000000..4efa380c --- /dev/null +++ b/libraries/google_secret_manager_regional_secrets.rb @@ -0,0 +1,97 @@ +# frozen_string_literal: false + +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- +require 'gcp_backend' +class SecretManagerRegionalSecrets < GcpResourceBase + name 'google_secret_manager_regional_secrets' + desc 'Secret plural resource' + supports platform: 'gcp' + + attr_reader :table + + filter_table_config = FilterTable.create + + filter_table_config.add(:names, field: :name) + filter_table_config.add(:create_times, field: :create_time) + filter_table_config.add(:annotations, field: :annotations) + filter_table_config.add(:labels, field: :labels) + filter_table_config.add(:topics, field: :topics) + filter_table_config.add(:expire_times, field: :expire_time) + filter_table_config.add(:customer_managed_encryptions, field: :customer_managed_encryption) + filter_table_config.add(:version_destroy_ttls, field: :version_destroy_ttl) + filter_table_config.add(:rotations, field: :rotation) + filter_table_config.add(:version_aliasess, field: :version_aliases) + + filter_table_config.connect(self, :table) + + def initialize(params = {}) + super(params.merge({ use_http_transport: true })) + @params = params + @table = fetch_wrapped_resource('secrets') + end + + def fetch_wrapped_resource(wrap_path) + # fetch_resource returns an array of responses (to handle pagination) + result = @connection.fetch_all(product_url, resource_base_url, @params, 'Get') + return if result.nil? + + # Conversion of string -> object hash to symbol -> object hash that InSpec needs + converted = [] + result.each do |response| + next if response.nil? || !response.key?(wrap_path) + response[wrap_path].each do |hash| + hash_with_symbols = {} + hash.each_key do |key| + name, value = transform(key, hash) + hash_with_symbols[name] = value + end + converted.push(hash_with_symbols) + end + end + + converted + end + + def transform(key, value) + return transformers[key].call(value) if transformers.key?(key) + + [key.to_sym, value] + end + + def transformers + { + 'name' => ->(obj) { [:name, obj['name']] }, + 'createTime' => ->(obj) { [:create_time, obj['createTime']] }, + 'annotations' => ->(obj) { [:annotations, obj['annotations']] }, + 'labels' => ->(obj) { [:labels, obj['labels']] }, + 'topics' => ->(obj) { [:topics, GoogleInSpec::SecretManagerRegional::Property::SecretTopicsArray.parse(obj['topics'], to_s)] }, + 'expireTime' => ->(obj) { [:expire_time, obj['expireTime']] }, + 'customer_managed_encryption' => ->(obj) { [:customer_managed_encryption, GoogleInSpec::SecretManagerRegional::Property::SecretCustomerManagedEncryptionArray.parse(obj['customerManagedEncryption'], to_s)] }, + 'version_destroy_ttl' => ->(obj) { [:version_destroy_ttl, obj['versionDestroyTtl']] }, + 'version_aliases' => ->(obj) { [:version_aliases, obj['versionAliases']] }, + 'rotation' => ->(obj) { [:rotation, GoogleInSpec::SecretManagerRegional::Property::SecretRotation.new(obj['rotation'], to_s)] }, + } + end + + private + + def product_url(_ = nil) + 'https://secretmanager.{{region}}.rep.googleapis.com/v1/' + end + + def resource_base_url + '{{parent}}/secrets' + end +end diff --git a/test/integration/verify/controls/google_secret_manager_regional_secret.rb b/test/integration/verify/controls/google_secret_manager_regional_secret.rb new file mode 100644 index 00000000..66c09c5a --- /dev/null +++ b/test/integration/verify/controls/google_secret_manager_regional_secret.rb @@ -0,0 +1,34 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_secret_manager_regional_secret resource.' + +gcp_project_id = input(:gcp_project_id, value: 'gcp_project_id', description: 'The GCP project identifier.') + +project_secret = input('project_secret', value: { + "name": "test_secret", + "region": "us-central1" +}, description: 'project_secret description') +control 'google_secret_manager_regional_secret-1.0' do + impact 1.0 + title 'google_secret_manager_regional_secret resource test' + + describe google_secret_manager_regional_secret(name: "projects/#{gcp_project_id}/locations/#{project_secret['region']}/secrets/#{project_secret['name']}", region: project_secret['region']) do + it { should exist } + end + + describe google_secret_manager_regional_secret(name: "does_not_exit", region: project_secret['region']) do + it { should_not exist } + end +end diff --git a/test/integration/verify/controls/google_secret_manager_regional_secrets.rb b/test/integration/verify/controls/google_secret_manager_regional_secrets.rb new file mode 100644 index 00000000..fd0ed0ad --- /dev/null +++ b/test/integration/verify/controls/google_secret_manager_regional_secrets.rb @@ -0,0 +1,30 @@ +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** Type: MMv1 *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file in README.md and +# CONTRIBUTING.md located at the root of this package. +# +# ---------------------------------------------------------------------------- + +title 'Test GCP google_secret_manager_regional_secrets resource.' + +gcp_project_id = input(:gcp_project_id, value: 'gcp_project_id', description: 'The GCP project identifier.') + +project_secret = input('project_secret', value: { + "name": "test_secret", + "region": "us-central1" +}, description: 'project_secret description') +control 'google_secret_manager_regional_secrets-1.0' do + impact 1.0 + title 'google_secret_manager_regional_secrets resource test' + + describe google_secret_manager_regional_secrets(parent: "projects/#{gcp_project_id}/locations/#{project_secret['region']}", region: project_secret['region']) do + it { should exist } + end +end