inspec-gcp icon indicating copy to clipboard operation
inspec-gcp copied to clipboard
verified publisher icon inspec

google_compute_instance Unexpected token at "not found" ?

Open walterdolce opened this issue 7 years ago • 8 comments

I'm trying to verify whether a GCE instance exists with the following control:

gcp_project = attribute('gcp_project')

control 'gcp-resources' do
  impact 1.0
  title 'Verify the state of the GCP resources'

  describe google_compute_instance(project: gcp_project,  name: 'my-instance') do
    it { should exist }
    its('status') { should eq 'RUNNING' }
    its('zone') { should eq 'europe-west2-a' }
  end
end

But when I launch it I get the following:

×  gcp-resources: Verify the state of the GCP resources
     ×  Control Source Code Error ./inspec-profile/controls/gcp-resources.rb:4
     765: unexpected token at 'Not Found'

What does that mean?

walterdolce avatar Oct 31 '18 11:10 walterdolce

FYI

I have already set the GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to my application_default_credentials.json file.

walterdolce avatar Oct 31 '18 11:10 walterdolce

InSpec version in use is 0.6.0

walterdolce avatar Oct 31 '18 11:10 walterdolce

hi @walterdolce - as a first step, could you retry updating your top level inspec.yml to a later InSpec version e.g.

inspec_version: '>= 2.2.10'

There's a minimal version specified in inspec-gcp however https://github.com/inspec/inspec/issues/3066 means that it might not be respected.

skpaterson avatar Oct 31 '18 11:10 skpaterson

@skpaterson It appears I was missing the zone parameter in the test.

With the following, it kind of works:

  describe google_compute_instance(project: gcp_project, zone: 'europe-west2-a',  name: 'my-instance') do

Result:

×  gcp-resources: Verify the state of the GCP resources (1 failed)
     ✔  Instance should exist
     ✔  Instance status should eq "RUNNING"
     ×  Instance zone should eq "europe-west2-a"

     expected: "europe-west2-a"
          got: "https://www.googleapis.com/compute/v1/projects/{{gcp_project}}/zones/europe-west2-a"

     (compared using ==)

walterdolce avatar Oct 31 '18 11:10 walterdolce

This leads me to ask 2 questions:

  1. Shouldn't Inspec GCP explicitly state that a certain resource parameter which is expected is missing?
  2. It appears either the code or the docs are lying. The docs state that you can specify the zone name but as in the result above, the full GCP API URI is returned 🤔 Is this a bug in the code or in the docs?

Thanks!

walterdolce avatar Oct 31 '18 11:10 walterdolce

Thanks for confirming that. For 1 above I'll add a TODO this side to improve checks on required parameters and fail more meaningfully!

For 2, so the docs read:

  its('zone') { should match 'us-east1-b' }

Note match not eq. In some cases the resources will create helper functions to only return short names but here I was erring on the side of not curtailing the information returned via the API.

skpaterson avatar Oct 31 '18 11:10 skpaterson

For 2, so the docs read [...] Note match not eq.

Of course! Silly me. Thanks for pointing that out @skpaterson :)

I guess we'll leave this issue open until the docs/code are updated (re: question 1 earlier)

walterdolce avatar Oct 31 '18 12:10 walterdolce

Makes sense, thanks @walterdolce

skpaterson avatar Oct 31 '18 12:10 skpaterson