inspec-gcp icon indicating copy to clipboard operation
inspec-gcp copied to clipboard
verified publisher icon inspec

For gcp inspec google_dataproc_cluster resource: Expose attributes around scheduled deletion

Open sukchomb-zz opened this issue 5 years ago • 7 comments

Detailed Description

At the present time we cannot perform any compliance checks in this area. These attributes are also not exposed using the solid or beta API calls

gcloud dataproc clusters describe --region=us-central1

gcloud beta dataproc clusters describe --region=us-central1

Context

Having these attributes available to test will strengthen the security posture of the Platform.

Possible Implementation

sukchomb-zz avatar Jan 26 '20 16:01 sukchomb-zz

I can absolutely add this via Magic Modules. I have a large amount of changes in the pipeline, so this will likely need to happen after that.

slevenick avatar Jan 27 '20 20:01 slevenick

@slevenick that is excellent news, thanks.

@sukchomb looking at this again, I see that the GCP API support is already there. gcloud dataproc clusters list --region europe-west2 --formtat json gets me all the info on my DataProc cluster. Same goes for the beta version.

Are you using an out of date GCP API?

Until @slevenick has completed his magic module work, in the short term you could always create an InSpec command to call the gcloud command above - https://www.inspec.io/docs/reference/resources/command/

Cheers Adrian

lhasadreams avatar Jan 28 '20 13:01 lhasadreams

@lhasadreams the 'lifecycleConfig' section is exposed in the gcloud command

Screenshot 2020-02-03 at 21 15 17

And when I use the inspec command resource, I get

Resource command is not supported on platform gcp/google-api-client-v0.23.9.

component versions I have installed are: Screenshot 2020-02-03 at 21 26 10

Please advise what further steps I need to take to get the command resource working.

Cheers,

Sukhjit

sukchomb-zz avatar Feb 03 '20 21:02 sukchomb-zz

Hi Sukhjit, What it is telling you is correct. You are trying to use the gcp train connection to run a gcloud command, using the InSpec command resource. The gcloud command needs to run on an operating system that then calls gcloud to connect to gcp - no different than if you are running gcloud from your command prompt.

Create a new inspec.yml something like this: name: gcp-command title: InSpec Profile maintainer: The Authors copyright: The Authors copyright_email: [email protected] license: Apache-2.0 summary: An InSpec Compliance Profile version: 0.1.0 supports: platform: os

and then the control could be something like this (change to the command that you would like to run): gcp_project_id="afdaniels" control 'service-api-match' do impact 1.0 title 'Ensure the services are enabled' describe command("gcloud services list --enabled --project=#{gcp_project_id} --format=json") do its(:exit_status) { should eq 0 } its(:stderr) { should eq '' } end end

You would then execute this in a shell on your local or remote machine with the gcloud credentials set. inspec exec .

You could then use Ruby to parse the json retuned to make the tests that you require.

Cheers, Adrian

lhasadreams avatar Feb 04 '20 07:02 lhasadreams

@slevenick How are you getting on with the gcp inspec resources for Dataproc?

sukchomb-zz avatar Feb 04 '20 11:02 sukchomb-zz

It's going to be blocked on this PR: https://github.com/inspec/inspec-gcp/pull/226

After those changes go through it should only take a day or two to add

slevenick avatar Feb 04 '20 19:02 slevenick

@slevenick Any update on #226 please?

lhasadreams avatar Mar 02 '20 16:03 lhasadreams