Chef InSpec and GCP
Chef InSpec has resources for auditing GCP.
Initialize an InSpec profile for auditing GCP
With Chef InSpec 4 or greater, you can create a profile for testing GCP resources with inspec init profile:
$ inspec init profile --platform gcp my-profile
Create new profile at /Users/me/my-profile
* Creating directory libraries
* Creating file README.md
* Creating directory controls
* Creating file controls/example.rb
* Creating file inspec.yml
* Creating file inputs.yml
* Creating file libraries/.gitkeep
Assuming the inputs.yml file contains your GCP project ID, this sample profile can then be executed using the following command:
inspec exec my-profile --input-file=my-profile/inputs.yml -t gcp://
Set GCP credentials
To use Chef InSpec GCP resources, you will need to install and configure the Google Cloud SDK. Instructions for this pre-requisite can be found in the Google CLoud SDK documentation.
Set the GCP credentials file
While InSpec can use user accounts for authentication, Google Cloud documentation recommends using service accounts.
Create a service account with the scopes appropriate for your needs.
Download the credential JSON file, for example
project-credentials.json, to your workspace and activate your service account withgcloud auth activate-service-account.gcloud auth activate-service-account --key-file project-credentials.json
Provide credentials using environment variables
You may also set the GCP credentials json file via the GOOGLE_APPLICATION_CREDENTIALS environment variable.
export GOOGLE_APPLICATION_CREDENTIALS='/Users/me/.config/gcloud/myproject-1-feb7993e8660.json'
Once you have your environment variables set, you can verify your credentials by running:
$ inspec detect -t gcp://
== Platform Details
Name: gcp
Families: cloud, api
Release: google-cloud-v
GCP resources
- google_access_context_manager_access_policies resource
- google_access_context_manager_access_policy resource
- google_access_context_manager_service_perimeter resource
- google_access_context_manager_service_perimeters resource
- google_appengine_standard_app_version resource
- google_appengine_standard_app_versions resource
- google_bigquery_dataset resource
- google_bigquery_datasets resource
- google_bigquery_table resource
- google_bigquery_tables resource
- google_billing_project_billing_info resource
- google_cloud_scheduler_job resource
- google_cloud_scheduler_jobs resource
- google_cloudbuild_trigger resource
- google_cloudbuild_triggers resource
- google_cloudfunctions_cloud_function resource
- google_cloudfunctions_cloud_functions resource
- google_compute_address resource
- google_compute_addresses resource
- google_compute_autoscaler resource
- google_compute_autoscalers resource
- google_compute_backend_bucket resource
- google_compute_backend_buckets resource
- google_compute_backend_service resource
- google_compute_backend_services resource
- google_compute_disk resource
- google_compute_disks resource
- google_compute_firewall resource
- google_compute_firewalls resource
- google_compute_forwarding_rule resource
- google_compute_forwarding_rules resource
- google_compute_global_address resource
- google_compute_global_addresses resource
- google_compute_global_forwarding_rule resource
- google_compute_global_forwarding_rules resource
- google_compute_health_check resource
- google_compute_health_checks resource
- google_compute_http_health_check resource
- google_compute_http_health_checks resource
- google_compute_https_health_check resource
- google_compute_https_health_checks resource
- google_compute_image resource
- google_compute_instance resource
- google_compute_instance_group resource
- google_compute_instance_group_manager resource
- google_compute_instance_group_managers resource
- google_compute_instance_groups resource
- google_compute_instance_template resource
- google_compute_instance_templates resource
- google_compute_instances resource
- google_compute_network resource
- google_compute_network_endpoint_group resource
- google_compute_network_endpoint_groups resource
- google_compute_networks resource
- google_compute_node_group resource
- google_compute_node_groups resource
- google_compute_node_template resource
- google_compute_node_templates resource
- google_compute_project_info resource
- google_compute_region resource
- google_compute_region_backend_service resource
- google_compute_region_backend_services resource
- google_compute_region_instance_group_manager resource
- google_compute_region_instance_group_managers resource
- google_compute_regional_disk resource
- google_compute_regions resource
- google_compute_route resource
- google_compute_router resource
- google_compute_router_nat resource
- google_compute_router_nats resource
- google_compute_routers resource
- google_compute_routes resource
- google_compute_security_policies resource
- google_compute_security_policy resource
- google_compute_snapshot resource
- google_compute_snapshots resource
- google_compute_ssl_certificate resource
- google_compute_ssl_certificates resource
- google_compute_ssl_policies resource
- google_compute_ssl_policy resource
- google_compute_subnetwork resource
- google_compute_subnetwork_iam_binding resource
- google_compute_subnetwork_iam_policy resource
- google_compute_subnetworks resource
- google_compute_target_http_proxies resource
- google_compute_target_http_proxy resource
- google_compute_target_https_proxies resource
- google_compute_target_https_proxy resource
- google_compute_target_pool resource
- google_compute_target_pools resource
- google_compute_target_tcp_proxies resource
- google_compute_target_tcp_proxy resource
- google_compute_url_map resource
- google_compute_url_maps resource
- google_compute_vpn_tunnel resource
- google_compute_vpn_tunnels resource
- google_compute_zone resource
- google_compute_zones resource
- google_container_cluster resource
- google_container_clusters resource
- google_container_node_pool resource
- google_container_node_pools resource
- google_container_regional_cluster resource
- google_container_regional_clusters resource
- google_container_regional_node_pool resource
- google_container_regional_node_pools resource
- google_dataproc_cluster resource
- google_dataproc_clusters resource
- google_dns_managed_zone resource
- google_dns_managed_zones resource
- google_dns_resource_record_set resource
- google_dns_resource_record_sets resource
- google_filestore_instance resource
- google_filestore_instances resource
- google_iam_custom_role resource
- google_iam_custom_roles resource
- google_iam_organization_custom_role resource
- google_iam_organization_custom_roles resource
- google_iam_service_account resource
- google_iam_service_account_key resource
- google_iam_service_account_keys resource
- google_iam_service_accounts resource
- google_kms_crypto_key resource
- google_kms_crypto_key_iam_binding resource
- google_kms_crypto_key_iam_bindings resource
- google_kms_crypto_key_iam_policy resource
- google_kms_crypto_keys resource
- google_kms_key_ring resource
- google_kms_key_ring_iam_binding resource
- google_kms_key_ring_iam_bindings resource
- google_kms_key_ring_iam_policy resource
- google_kms_key_rings resource
- google_logging_folder_exclusion resource
- google_logging_folder_exclusions resource
- google_logging_folder_log_sink resource
- google_logging_folder_log_sinks resource
- google_logging_organization_log_sink resource
- google_logging_organization_log_sinks resource
- google_logging_project_exclusion resource
- google_logging_project_exclusions resource
- google_logging_project_sink resource
- google_logging_project_sinks resource
- google_ml_engine_model resource
- google_ml_engine_models resource
- google_organization resource
- google_organization_iam_binding resource
- google_organization_iam_policy resource
- google_organization_policy resource
- google_organizations resource
- google_project resource
- google_project_alert_policies resource
- google_project_alert_policy resource
- google_project_alert_policy_condition resource
- google_project_iam_binding resource
- google_project_iam_bindings resource
- google_project_iam_custom_role resource
- google_project_iam_custom_roles resource
- google_project_iam_policy resource
- google_project_logging_audit_config resource
- google_project_metric resource
- google_project_metrics resource
- google_project_service resource
- google_project_services resource
- google_projects resource
- google_pubsub_subscription resource
- google_pubsub_subscription_iam_binding resource
- google_pubsub_subscription_iam_policy resource
- google_pubsub_subscriptions resource
- google_pubsub_topic resource
- google_pubsub_topic_iam_binding resource
- google_pubsub_topic_iam_policy resource
- google_pubsub_topics resource
- google_redis_instance resource
- google_redis_instances resource
- google_resourcemanager_folder resource
- google_resourcemanager_folder_iam_binding resource
- google_resourcemanager_folder_iam_policy resource
- google_resourcemanager_folders resource
- google_resourcemanager_organization_policy resource
- google_resourcemanager_project_iam_binding resource
- google_resourcemanager_project_iam_policy resource
- google_runtime_config_config resource
- google_runtime_config_config_iam_binding resource
- google_runtime_config_config_iam_policy resource
- google_runtime_config_configs resource
- google_runtime_config_variable resource
- google_runtime_config_variables resource
- google_service_account resource
- google_service_account_key resource
- google_service_account_keys resource
- google_service_accounts resource
- google_sourcerepo_repositories resource
- google_sourcerepo_repository resource
- google_spanner_database resource
- google_spanner_databases resource
- google_spanner_instance resource
- google_spanner_instance_iam_binding resource
- google_spanner_instance_iam_policy resource
- google_spanner_instances resource
- google_sql_database_instance resource
- google_sql_database_instances resource
- google_sql_user resource
- google_sql_users resource
- google_storage_bucket resource
- google_storage_bucket_acl resource
- google_storage_bucket_iam_binding resource
- google_storage_bucket_iam_bindings resource
- google_storage_bucket_iam_policy resource
- google_storage_bucket_object resource
- google_storage_bucket_objects resource
- google_storage_buckets resource
- google_storage_default_object_acl resource
- google_storage_object_acl resource
- google_user resource
- google_users resource