inspec-gcp icon indicating copy to clipboard operation
inspec-gcp copied to clipboard
verified publisher icon inspec

Implement new google_resourcemanager_folder_policy() resource

Open sukchomb-zz opened this issue 5 years ago • 4 comments

As platform owner I want to be able to test folder level policies that have been implemented.

Detailed Description

We need an equivalent of google_resourcemanager_organization_policy() but that works at 'folder' level.

Context

We are implementing folder level policies and having this resource will allow testing of those policies.

Possible Implementation

Virtually the same as google_resourcemanager_organization_policy()

sukchomb-zz avatar Aug 12 '20 13:08 sukchomb-zz

fyi @slevenick, @skpaterson , @lhasadreams

sukchomb-zz avatar Aug 12 '20 14:08 sukchomb-zz

@slevenick Is this something that you are considering a magic module for? Cheers, Adrian

lhasadreams avatar Aug 14 '20 07:08 lhasadreams

Yeah, it's definitely possible. It will likely take me a bit to implement though

slevenick avatar Aug 14 '20 16:08 slevenick

So, as a fun feature of the current implementation of google_organization_policy you can retrieve folder level policies by passing in the folder name instead of an organization name for name as the structure is shared between these.

So if you have an org-level policy audited like this:

  describe google_organization_policy(name: 'organizations/12345', constraint: 'constraints/compute.disableSerialPortAccess') do
    it { should exist }
    its('boolean_policy.enforced') { should be true }
  end

You can write the same control for a folder-level policy like so:

  describe google_organization_policy(name: 'folders/12345', constraint: 'constraints/compute.disableSerialPortAccess') do
    it { should exist }
    its('boolean_policy.enforced') { should be true }
  end

I'll keep this open to remind me to document this, but there doesn't seem to be a need for a separate resource

slevenick avatar Sep 21 '20 23:09 slevenick