Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for google_subnetwork_iam_bindings #122

Closed
glarizza opened this issue Mar 14, 2019 · 2 comments · Fixed by #142
Closed

Add support for google_subnetwork_iam_bindings #122

glarizza opened this issue Mar 14, 2019 · 2 comments · Fixed by #142

Comments

@glarizza
Copy link

I was trying to define a test that would check for IAM bindings set at the subnetwork level instead of the shared VPC host project level, and it would be helpful to have a native resource to handle that.
@slevenick
Copy link
Collaborator

slevenick commented Mar 20, 2019
edited
Loading

Looking into possibilities to create iam binding resources for various classes, as many types of resources can have iam bindings. Would it be more helpful to have discrete classes for things like google_subnetwork_iam_bindings or have an iam_bindings method on the subnetwork resource?

@glarizza
Copy link
Author

glarizza commented Mar 20, 2019
edited
Loading

For this use-case I had to (unfortunately) prove a negative, which meant I had to iterate through all subnetworks in all regions attached to a shared vpc host project and ensure that that there weren't any bindings set for a specific group, so having the specific google_subnetwork_iam_bindings resource/class would have been preferable:

group_email = attribute('group_email')
shared_vpc  = attribute('shared_vpc')

control "gcp" do
  # The shared_vpc_no_subnets scenario is testing to ensure that
  # compute.networkUser bindings are set at the shared VPC host project level
  # and aren't set at the subnetwork level. The only way to be sure that
  # subnetwork bindings haven't been created (because a subnetwork was not
  # specified) is to loop through all subnetworks in all regions and ensure
  # there aren't any bindings set for the group being tested
  google_compute_regions(
    project: shared_vpc
  ).region_names.each do |region|
    google_compute_subnetworks(
      project: shared_vpc,
      region:  region,
    ).subnetwork_names.each do |subnetwork_name|
      describe "IAM bindings for subnetwork #{subnetwork_name} in region #{region}" do
        let(:bindings) do
          output = %x{gcloud beta compute networks subnets get-iam-policy #{subnetwork_name} --region #{region} --project #{shared_vpc} --format=json}
          JSON.parse(output, symbolize_names: true)[:bindings]
        end

        it "do not include #{group_email} in the roles/compute.networkUser IAM binding" do
          unless bindings.nil?
            expect(bindings).not_to include(
              members: including("group:#{group_email}"),
              role: "roles/compute.networkUser",
            )
          end
        end
      end
    end
  end
end

Link to specific file in question: https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/test/integration/shared_vpc_no_subnets/controls/gcp.rb

@slevenick slevenick mentioned this issue Mar 22, 2019
Closed
@slevenick slevenick mentioned this issue Apr 24, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Subnet iam policy modular-magician/inspec-gcp
2 participants
@glarizza @slevenick