inspec-gcp icon indicating copy to clipboard operation
inspec-gcp copied to clipboard

Published 20 hours ago verified publisher icon inspec

Issue with workload_meta_config.mode matcher

Open wyardley opened this issue 2 years ago • 3 comments

Describe the problem

I've got a situation where workloadMetadataConfig.mode is set to GKE_METADATA, and yet the workload_meta_config.mode matcher seesm to be nil. This is using a slightly older version of this that's vendored in with https://github.com/GoogleCloudPlatform/inspec-gcp-helpers, so I can try to doublecheck if this issue affects the latest version as well.

Described in more detail at: https://github.com/GoogleCloudPlatform/inspec-gke-cis-benchmark/issues/30

Possible Solution

  • If it's an issue with the version, updating the pinned version of this in https://github.com/GoogleCloudPlatform/inspec-gcp- helpers could help
  • If it's a naming issue (Medata vs Meta?) updating upstream in https://github.com/GoogleCloudPlatform/magic-modules/ might help

wyardley avatar Mar 29 '22 21:03 wyardley

Basic POC that shows this against current trunk as well.

title "GKE Nodepool test"

gcp_project_id = input("gcp_project_id")
gke_cluster = input("gke_cluster")
gke_cluster_location = input("gke_cluster_location")
gke_nodepool_name = input("gke_nodepool_name")

# you add controls here
control "gke-cluster-1.0" do
  impact 1.0
  title "Ensure cluster exists."
  desc "Testing"
  describe google_container_cluster(project: gcp_project_id, name: gke_cluster, location: gke_cluster_location) do
    it { should exist }
  end
  describe google_container_node_pool(project: gcp_project_id, nodepool_name: gke_nodepool_name, cluster_name: gke_cluster, location: gke_cluster_location) do
    it { should exist }
    its('config.workload_meta_config.mode') { should be_in %w[GCE_METADATA GKE_METADATA] }
  end
end

  ×  gke-cluster-1.0: Ensure cluster exists. (1 failed)
     ✔  Cluster xyz is expected to exist
     ✔  NodePool default-node-pool is expected to exist
     ×  NodePool default-node-pool config.workload_meta_config.mode is expected to be in "GCE_METADATA" and "GKE_METADATA"
     expected `` to be in the list: `["GCE_METADATA", "GKE_METADATA"]`

dumping out the config object, it's got:

     +     "workloadMetadataConfig"=>{"mode"=>"GKE_METADATA"},

the GCP CLI also shows

config:
  workloadMetadataConfig:
    mode: GKE_METADATA

wyardley avatar Mar 29 '22 22:03 wyardley

@wyardley this issue is fixed in this PR.

sa-progress avatar Jul 17 '23 19:07 sa-progress

Woo! thanks @sa-progress!

wyardley avatar Jul 17 '23 19:07 wyardley