inspec-gcp icon indicating copy to clipboard operation
inspec-gcp copied to clipboard
verified publisher icon inspec

Add support for API Services

Open justyns opened this issue 6 years ago • 3 comments

Detailed Description

GCP documentation: https://cloud.google.com/service-usage/docs/list-services

Listing API services can be done with gcloud services list --project $projectid or through the API mentioned in the docs above. It's possible to list all available services, only enabled services, or only disabled services.

Context

We're currently using terraform's google_project_service resource to enable/disable APIs in specific projects. We are also testing our terraform modules with kitchen-terraform and inspec-gcp.

Right now, I'm having to use the command inspec resource and shell out to gcloud services list. I would much rather use a resource provided by the inspec-gcp library.

Our implementation currently looks similar to this:

describe command("gcloud services list --project=#{project}") do
  its(:exit_status) { should eq 0 }
  its(:stdout) { should match /^pubsub\.googleapis\.com\s+/ }
end

Possible Implementation

I'd like to turn the above code into something like this, but have not put too much thought into how it should look:

describe google_project_service(name: "pubsub.googleapis.com", project: 'some-gcp-project') do
  it { should be_enabled }
end

justyns avatar May 21 '19 17:05 justyns

Interesting. This would obviously be a useful feature, and I'm willing to look into adding it. Would it be preferable to have the resource work against a single api name, or to have a resource that can pull the list of enabled and disabled apis?

For example, it could work like this:

describe google_project_service(project: 'some-gcp-project') do
  its('enabled') { should include 'pubsub.googleapis.com' }
  its('disabled') { should include 'anotherapi.googleapis.com' }
end

slevenick avatar Jun 03 '19 16:06 slevenick

Sorry for the delayed response!

Would it be preferable to have the resource work against a single api name, or to have a resource that can pull the list of enabled and disabled apis?

I believe the API returns all of the services, so the latter makes sense. We should still be able to loop through a list of APIs that should be enabled, they don't have to be separate inspec resources. Having a resource only check one api service at a time would probably be much slower since it'd be repeatedly making the same api call to get the full list anyway.

justyns avatar Aug 05 '19 18:08 justyns

I believe this can be done now via the google_project_service resource that was released recently: https://github.com/inspec/inspec-gcp/pull/196

Similar to https://github.com/inspec/inspec-gcp/issues/192

slevenick avatar Nov 05 '19 18:11 slevenick