Broken integration tests for Real-Time Enforcer

[ingwarr]

It fails at the verify step:

Already have image (with digest): gcr.io/cloud-foundation-cicd/cft/developer-tools:0.1.0 Updated property [core/pass_credentials_to_gsutil]. -----> Starting Kitchen (v1.24.0) -----> Setting up ... Finished setting up (0m0.00s). -----> Verifying ... $$$$$$ Running command terraform workspace select kitchen-terraform-simple-example-local in directory /workspace/test/fixtures/simple_example $$$$$$ Running command terraform output -json in directory /workspace/test/fixtures/simple_example gcp: Verifying

Profile: simple-example Version: (not specified) Target: gcp://ci-forseti@ci-forseti-host-project-luan.iam.gserviceaccount.com

✔ forseti: Forseti GCP resources ✔ Instance forseti-client-vm-a6b2299e should exist ✔ Instance forseti-client-vm-a6b2299e machine_size should eq "n1-standard-2" ✔ Instance forseti-server-vm-a6b2299e should exist ✔ Instance forseti-server-vm-a6b2299e machine_size should eq "n1-standard-2" ✔ google_sql_database_instances instance_names should include /forseti-server-db-*/ ✔ Project IAM Binding roles/storage.objectViewer should exist ✔ Project IAM Binding roles/storage.objectViewer members should include "serviceAccount:forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/storage.objectCreator should exist ✔ Project IAM Binding roles/storage.objectCreator members should include "serviceAccount:forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/cloudsql.client should exist ✔ Project IAM Binding roles/cloudsql.client members should include "serviceAccount:forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/cloudtrace.agent should exist ✔ Project IAM Binding roles/cloudtrace.agent members should include "serviceAccount:forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/logging.logWriter should exist ✔ Project IAM Binding roles/logging.logWriter members should include "serviceAccount:forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/iam.serviceAccountTokenCreator should exist ✔ Project IAM Binding roles/iam.serviceAccountTokenCreator members should include "serviceAccount:forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ google_storage_buckets bucket_names should include "forseti-server-a6b2299e" ✔ google_storage_buckets bucket_names should include "forseti-client-a6b2299e" ✔ google_storage_buckets bucket_names should include /forseti-cai-export/ ✔ google_storage_bucket_objects object_names should include "rules/audit_logging_rules.yaml", "rules/bigquery_rules.yaml", "rules/blacklist_rules.yaml", "rules/bucket_rules.yaml", "rules/cloudsql_rules.yaml", "rules/enabled_apis_rules.yaml", "rules/external_project_access_rules.yaml", "rules/firewall_rules.yaml", "rules/forwarding_rules.yaml", "rules/group_rules.yaml", "rules/groups_settings_rules.yaml", "rules/iam_rules.yaml", "rules/iap_rules.yaml", "rules/instance_network_interface_rules.yaml", "rules/ke_rules.yaml", "rules/ke_scanner_rules.yaml", "rules/lien_rules.yaml", "rules/location_rules.yaml", "rules/log_sink_rules.yaml", "rules/resource_rules.yaml", "rules/retention_rules.yaml", "rules/role_rules.yaml", "rules/service_account_key_rules.yaml", and "rules/kms_rules.yaml" ✔ Service Account "Forseti Client Service Account" email should eq "forseti-client-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Service Account "Forseti Client Service Account" display_name should eq "Forseti Client Service Account" ✔ Service Account "Forseti Server Service Account" email should eq "forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Service Account "Forseti Server Service Account" display_name should eq "Forseti Server Service Account" ✔ Firewall Rule forseti-server-ssh-external-a6b2299e source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-server-ssh-external-a6b2299e direction should eq "INGRESS" ✔ Firewall Rule forseti-server-ssh-external-a6b2299e allowed_ssh? should equal true ✔ Firewall Rule forseti-server-ssh-external-a6b2299e priority should eq 100 ✔ Firewall Rule forseti-server-allow-grpc-a6b2299e allows gRPC traffic ✔ Firewall Rule forseti-server-allow-grpc-a6b2299e source_ranges should eq ["10.128.0.0/9"] ✔ Firewall Rule forseti-server-allow-grpc-a6b2299e direction should eq "INGRESS" ✔ Firewall Rule forseti-server-allow-grpc-a6b2299e priority should eq 100 ✔ Firewall Rule forseti-server-deny-all-a6b2299e denies TCP, UDP, and ICMP ✔ Firewall Rule forseti-server-deny-all-a6b2299e source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-server-deny-all-a6b2299e direction should eq "INGRESS" ✔ Firewall Rule forseti-server-deny-all-a6b2299e priority should eq 200 ✔ Firewall Rule forseti-client-ssh-external-a6b2299e source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-client-ssh-external-a6b2299e direction should eq "INGRESS" ✔ Firewall Rule forseti-client-ssh-external-a6b2299e allowed_ssh? should equal true ✔ Firewall Rule forseti-client-ssh-external-a6b2299e priority should eq 100 ✔ Firewall Rule forseti-client-deny-all-a6b2299e denies TCP, UDP, and ICMP ✔ Firewall Rule forseti-client-deny-all-a6b2299e source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-client-deny-all-a6b2299e direction should eq "INGRESS" ✔ Firewall Rule forseti-client-deny-all-a6b2299e priority should eq 200

Profile: Google Cloud Platform Resource Pack (inspec-gcp) Version: 0.15.1 Target: gcp://ci-forseti@ci-forseti-host-project-luan.iam.gserviceaccount.com

No tests executed.

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped Test Summary: 45 successful, 0 failures, 0 skipped ubuntu@35.208.218.51: Permission denied (publickey).

server: Transport error, can't connect to 'ssh' backend: SSH command failed (command failed: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -o LogLevel=ERROR -o ForwardAgent=no -i test/fixtures/bastion/tls_private_key ubuntu@35.208.218.51 -p 22 -W 10.129.0.3:22) ubuntu@35.208.218.51: Permission denied (publickey). forseti-client: Transport error, can't connect to 'ssh' backend: SSH command failed (command failed: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -o LogLevel=ERROR -o ForwardAgent=no -i test/fixtures/bastion/tls_private_key ubuntu@35.208.218.51 -p 22 -W 10.129.0.4:22) org-iam: Verifying Skipping profile: 'inspec-gcp' on unsupported platform: 'alpine/3.10.1'.

Profile: simple-example Version: (not specified) Target: local://

× forseti-org-iam: Validate organization roles of SA (1 failed) × Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' has all expected org roles expected collection contained: ["roles/appengine.appViewer", "roles/bigquery.dataViewer", "roles/bigquery.metadataViewer", "roles/br...icy.policyViewer", "roles/servicemanagement.quotaViewer", "roles/serviceusage.serviceUsageConsumer"] actual collection contained: ["roles/appengine.appViewer", "roles/bigquery.metadataViewer", "roles/browser", "roles/cloudasset.vie...icy.policyViewer", "roles/servicemanagement.quotaViewer", "roles/serviceusage.serviceUsageConsumer"] the missing elements were: ["roles/bigquery.dataViewer"]

✔ Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' exit_status should eq 0 ✔ Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-server-gcp-a6b2299e@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' stderr should eq ""

Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 2 successful, 1 failure, 0 skipped

org-iam: InSpec Runner exited with 1 -----> Setting up ... Finished setting up (0m0.00s). -----> Verifying ... $$$$$$ Running command terraform workspace select kitchen-terraform-shared-vpc-local in directory /workspace/test/fixtures/shared_vpc $$$$$$ Running command terraform output -json in directory /workspace/test/fixtures/shared_vpc shared_vpc: Verifying

Profile: GCP Forseti InSpec Profile (shared-vpc-profile) Version: 0.1.0 Target: gcp://ci-forseti@ci-forseti-host-project-luan.iam.gserviceaccount.com

✔ forseti-service-project: Forseti service project ✔ Compute Project Info ci-forseti-serv-luan xpn_project_status should eq "UNSPECIFIED_XPN_PROJECT_STATUS" ✔ Compute Project Info ci-forseti-serv-luan name should eq "ci-forseti-serv-luan" ✔ forseti-shared-project: Forseti host project ✔ Compute Project Info ci-forseti-host-project-luan xpn_project_status should eq "HOST" ✔ Compute Project Info ci-forseti-host-project-luan name should eq "ci-forseti-host-project-luan" ✔ forseti: Forseti GCP resources ✔ Instance forseti-client-vm-5abc9980 should exist ✔ Instance forseti-client-vm-5abc9980 machine_size should eq "n1-standard-2" ✔ Instance forseti-server-vm-5abc9980 should exist ✔ Instance forseti-server-vm-5abc9980 machine_size should eq "n1-standard-2" ✔ google_sql_database_instances instance_names should include /forseti-server-db-*/ ✔ Project IAM Binding roles/storage.objectViewer should exist ✔ Project IAM Binding roles/storage.objectViewer members should include "serviceAccount:forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/storage.objectCreator should exist ✔ Project IAM Binding roles/storage.objectCreator members should include "serviceAccount:forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/cloudsql.client should exist ✔ Project IAM Binding roles/cloudsql.client members should include "serviceAccount:forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/cloudtrace.agent should exist ✔ Project IAM Binding roles/cloudtrace.agent members should include "serviceAccount:forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/logging.logWriter should exist ✔ Project IAM Binding roles/logging.logWriter members should include "serviceAccount:forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Project IAM Binding roles/iam.serviceAccountTokenCreator should exist ✔ Project IAM Binding roles/iam.serviceAccountTokenCreator members should include "serviceAccount:forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ google_storage_buckets bucket_names should include "forseti-server-5abc9980" ✔ google_storage_buckets bucket_names should include "forseti-client-5abc9980" ✔ google_storage_buckets bucket_names should include /forseti-cai-export/ ✔ google_storage_bucket_objects object_names should include "rules/audit_logging_rules.yaml", "rules/bigquery_rules.yaml", "rules/blacklist_rules.yaml", "rules/bucket_rules.yaml", "rules/cloudsql_rules.yaml", "rules/enabled_apis_rules.yaml", "rules/external_project_access_rules.yaml", "rules/firewall_rules.yaml", "rules/forwarding_rules.yaml", "rules/group_rules.yaml", "rules/groups_settings_rules.yaml", "rules/iam_rules.yaml", "rules/iap_rules.yaml", "rules/instance_network_interface_rules.yaml", "rules/ke_rules.yaml", "rules/ke_scanner_rules.yaml", "rules/lien_rules.yaml", "rules/location_rules.yaml", "rules/log_sink_rules.yaml", "rules/resource_rules.yaml", "rules/retention_rules.yaml", "rules/role_rules.yaml", "rules/service_account_key_rules.yaml", and "rules/kms_rules.yaml" ✔ Service Account "Forseti Client Service Account" email should eq "forseti-client-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Service Account "Forseti Client Service Account" display_name should eq "Forseti Client Service Account" ✔ Service Account "Forseti Server Service Account" email should eq "forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Service Account "Forseti Server Service Account" display_name should eq "Forseti Server Service Account" ✔ Firewall Rule forseti-server-ssh-external-5abc9980 source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-server-ssh-external-5abc9980 direction should eq "INGRESS" ✔ Firewall Rule forseti-server-ssh-external-5abc9980 allowed_ssh? should equal true ✔ Firewall Rule forseti-server-ssh-external-5abc9980 priority should eq 100 ✔ Firewall Rule forseti-server-allow-grpc-5abc9980 allows gRPC traffic ✔ Firewall Rule forseti-server-allow-grpc-5abc9980 source_ranges should eq ["10.128.0.0/9"] ✔ Firewall Rule forseti-server-allow-grpc-5abc9980 direction should eq "INGRESS" ✔ Firewall Rule forseti-server-allow-grpc-5abc9980 priority should eq 100 ✔ Firewall Rule forseti-server-deny-all-5abc9980 denies TCP, UDP, and ICMP ✔ Firewall Rule forseti-server-deny-all-5abc9980 source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-server-deny-all-5abc9980 direction should eq "INGRESS" ✔ Firewall Rule forseti-server-deny-all-5abc9980 priority should eq 200 ✔ Firewall Rule forseti-client-ssh-external-5abc9980 source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-client-ssh-external-5abc9980 direction should eq "INGRESS" ✔ Firewall Rule forseti-client-ssh-external-5abc9980 allowed_ssh? should equal true ✔ Firewall Rule forseti-client-ssh-external-5abc9980 priority should eq 100 ✔ Firewall Rule forseti-client-deny-all-5abc9980 denies TCP, UDP, and ICMP ✔ Firewall Rule forseti-client-deny-all-5abc9980 source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-client-deny-all-5abc9980 direction should eq "INGRESS" ✔ Firewall Rule forseti-client-deny-all-5abc9980 priority should eq 200

Profile: Google Cloud Platform Resource Pack (inspec-gcp) Version: 0.15.1 Target: gcp://ci-forseti@ci-forseti-host-project-luan.iam.gserviceaccount.com

No tests executed.

Profile Summary: 3 successful controls, 0 control failures, 0 controls skipped Test Summary: 49 successful, 0 failures, 0 skipped gcloud: Verifying Skipping profile: 'inspec-gcp' on unsupported platform: 'alpine/3.10.1'.

Profile: GCP Forseti InSpec Profile (shared-vpc-profile) Version: 0.1.0 Target: local://

✔ forseti-subnetwork: Check that forseti server and client are on a proper subnet ✔ Command: gcloud compute instances describe forseti-server-vm-5abc9980 --project ci-forseti-serv-luan --zone us-central1-c --format=json forseti server should be on shared vpc subnetwork ✔ Command: gcloud compute instances describe forseti-server-vm-5abc9980 --project ci-forseti-serv-luan --zone us-central1-c --format=json exit_status should eq 0 ✔ Command: gcloud compute instances describe forseti-server-vm-5abc9980 --project ci-forseti-serv-luan --zone us-central1-c --format=json stderr should eq "" ✔ Command: gcloud compute instances describe forseti-client-vm-5abc9980 --project ci-forseti-serv-luan --zone us-central1-c --format=json forseti server should be on shared vpc subnetwork ✔ Command: gcloud compute instances describe forseti-client-vm-5abc9980 --project ci-forseti-serv-luan --zone us-central1-c --format=json exit_status should eq 0 ✔ Command: gcloud compute instances describe forseti-client-vm-5abc9980 --project ci-forseti-serv-luan --zone us-central1-c --format=json stderr should eq "" × forseti-org-iam: Validate organization roles of SA (1 failed) × Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' has all expected org roles expected collection contained: ["roles/appengine.appViewer", "roles/bigquery.dataViewer", "roles/bigquery.metadataViewer", "roles/br...icy.policyViewer", "roles/servicemanagement.quotaViewer", "roles/serviceusage.serviceUsageConsumer"] actual collection contained: ["roles/appengine.appViewer", "roles/bigquery.metadataViewer", "roles/browser", "roles/cloudasset.vie...icy.policyViewer", "roles/servicemanagement.quotaViewer", "roles/serviceusage.serviceUsageConsumer"] the missing elements were: ["roles/bigquery.dataViewer"]

✔ Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' exit_status should eq 0 ✔ Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-server-gcp-5abc9980@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' stderr should eq ""

Profile Summary: 1 successful control, 1 control failure, 0 controls skipped Test Summary: 8 successful, 1 failure, 0 skipped

gcloud: InSpec Runner exited with 1 ubuntu@35.208.105.160: Permission denied (publickey). server: Transport error, can't connect to 'ssh' backend: SSH command failed (command failed: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -o LogLevel=ERROR -o ForwardAgent=no -i test/fixtures/bastion/tls_private_key ubuntu@35.208.105.160 -p 22 -W 10.128.0.3:22) ubuntu@35.208.105.160: Permission denied (publickey). forseti-client: Transport error, can't connect to 'ssh' backend: SSH command failed (command failed: ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -o LogLevel=ERROR -o ForwardAgent=no -i test/fixtures/bastion/tls_private_key ubuntu@35.208.105.160 -p 22 -W 10.128.0.4:22) -----> Setting up ... Finished setting up (0m0.00s). -----> Verifying ... $$$$$$ Running command terraform workspace select kitchen-terraform-real-time-enforcer-roles-local in directory /workspace/test/fixtures/real_time_enforcer_roles $$$$$$ Running command terraform output -json in directory /workspace/test/fixtures/real_time_enforcer_roles local: Verifying

Profile: real_time_enforcer_roles Version: (not specified) Target: local://

✔ roles: Command: gcloud iam roles describe --organization 943740911108 forseti.enforcerViewerwrhI --format=json ✔ Command: gcloud iam roles describe --organization 943740911108 forseti.enforcerViewerwrhI --format=json sets the correct permissions ✔ Command: gcloud iam roles describe --organization 943740911108 forseti.enforcerViewerwrhI --format=json exit_status should eq 0 ✔ Command: gcloud iam roles describe --organization 943740911108 forseti.enforcerViewerwrhI --format=json stderr should eq "" ✔ Command: gcloud iam roles describe --organization 943740911108 forseti.enforcerWriterwrhI --format=json sets the correct permissions ✔ Command: gcloud iam roles describe --organization 943740911108 forseti.enforcerWriterwrhI --format=json exit_status should eq 0 ✔ Command: gcloud iam roles describe --organization 943740911108 forseti.enforcerWriterwrhI --format=json stderr should eq ""

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped Test Summary: 6 successful, 0 failures, 0 skipped Finished verifying (0m1.98s). -----> Setting up ... Finished setting up (0m0.00s). Creating test fixtures for real-time-enforcer

Initializing the backend...

Initializing provider plugins...

• Checking for available provider plugins...
• Downloading plugin for provider "random" (hashicorp/random) 2.2.0...
• Downloading plugin for provider "google" (hashicorp/google) 2.11.0...

The following providers do not have any version constraints in configuration, so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking changes, it is recommended to add version = "..." constraints to the corresponding provider blocks in configuration, with the constraint strings suggested below.

• provider.random: version = "~> 2.2"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see any changes that are required for your infrastructure. All Terraform commands should now work.

If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. Creating test fixtures, attempt 1 of 3 data.google_project.main: Refreshing state... random_string.main: Creating... random_string.main: Creation complete after 0s [id=hanf] google_storage_bucket.main: Creating... google_storage_bucket.main: Creation complete after 1s [id=forseti-enforcer-target-hanf] google_storage_bucket_iam_member.allauthenticatedusers: Creating... google_storage_bucket_iam_member.allusers: Creating... google_storage_bucket_iam_member.allauthenticatedusers: Creation complete after 4s [id=forseti-enforcer-target-hanf/roles/storage.objectViewer/allauthenticatedusers] google_storage_bucket_iam_member.allusers: Creation complete after 8s [id=forseti-enforcer-target-hanf/roles/storage.objectViewer/allusers]

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

Outputs:

bucket_name = forseti-enforcer-target-hanf Terraform applied successfully. -----> Verifying ... $$$$$$ Running command terraform workspace select kitchen-terraform-real-time-enforcer-local in directory /workspace/test/fixtures/real_time_enforcer $$$$$$ Running command terraform output -json in directory /workspace/test/fixtures/real_time_enforcer gcp: Verifying

Profile: real_time_enforcer Version: (not specified) Target: gcp://ci-forseti@ci-forseti-host-project-luan.iam.gserviceaccount.com

✔ real-time-enforcer-gcp: Real time enforcer GCP resources ✔ Instance forseti-enforcer-vm-jkwd05 should exist ✔ Instance forseti-enforcer-vm-jkwd05 machine_size should eq "n1-standard-2" ✔ Service Account "Forseti Real Time Enforcer" email should eq "forseti-enforcer-gcp-jkwd05@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ Service Account "Forseti Real Time Enforcer" display_name should eq "Forseti Real Time Enforcer" ✔ Topic real-time-enforcer-events-topic-88l5 should exist ✔ Bucket forseti-enforcer-jkwd05 should exist ✔ Storage Bucket IAM Binding roles/storage.objectViewer should exist ✔ Storage Bucket IAM Binding roles/storage.objectViewer members should include "serviceAccount:forseti-enforcer-gcp-jkwd05@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ google_storage_bucket_objects object_names should contain exactly "policy/bigquery/common.rego", "policy/bigquery/dataset_no_public_access.rego", "policy/bigquery/dataset_no_public_authenticated_access.rego", "policy/cloudresourcemanager/common_iam.rego", "policy/exclusions.rego", "policy/policies.rego", "policy/config.yaml", "policy/sql/acl.rego", "policy/sql/backups.rego", "policy/sql/common.rego", "policy/sql/require_ssl.rego", "policy/storage/bucket_iam_disallow_allauthenticatedusers.rego", "policy/storage/bucket_iam_disallow_allusers.rego", "policy/storage/common.rego", "policy/storage/common_iam.rego", and "policy/storage/versioning.rego" ✔ Firewall Rule forseti-rt-enforcer-ssh-external-jkwd05 source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-rt-enforcer-ssh-external-jkwd05 direction should eq "INGRESS" ✔ Firewall Rule forseti-rt-enforcer-ssh-external-jkwd05 allowed_ssh? should equal true ✔ Firewall Rule forseti-rt-enforcer-ssh-external-jkwd05 priority should eq 100 ✔ Firewall Rule forseti-rt-enforcer-deny-all-jkwd05 denies TCP, UDP, and ICMP ✔ Firewall Rule forseti-rt-enforcer-deny-all-jkwd05 source_ranges should eq ["0.0.0.0/0"] ✔ Firewall Rule forseti-rt-enforcer-deny-all-jkwd05 direction should eq "INGRESS" ✔ Firewall Rule forseti-rt-enforcer-deny-all-jkwd05 priority should eq 200 ✔ Project IAM Binding roles/logging.logWriter members should include "serviceAccount:forseti-enforcer-gcp-jkwd05@ci-forseti-serv-luan.iam.gserviceaccount.com" ✔ real-time-enforcer-target-gcp: Storage Bucket ACL forseti-enforcer-target-hanf ✔ Storage Bucket ACL forseti-enforcer-target-hanf should not exist ✔ Storage Bucket ACL forseti-enforcer-target-hanf should not exist

Profile: Google Cloud Platform Resource Pack (inspec-gcp) Version: 0.15.1 Target: gcp://ci-forseti@ci-forseti-host-project-luan.iam.gserviceaccount.com

No tests executed.

Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped Test Summary: 20 successful, 0 failures, 0 skipped real-time-enforcer-host: Verifying host 10.129.0.6 Skipping profile: 'inspec-gcp' on unsupported platform: 'linux/unknown'.

Profile: real_time_enforcer Version: (not specified) Target: ssh://ubuntu@10.129.0.6:22

× real-time-enforcer-host: Real time enforcer host resources (1 failed) ✔ Command: systemctl is-active opa-policy exit_status should equal 0 or equal 3 × Command: systemctl is-active opa-policy stdout.chomp should cmp == "active" or cmp == "activating" or cmp == "inactive"

expected: "active" got: "failed"

(compared using cmp matcher)

...or:

expected: "activating" got: "failed"

(compared using cmp matcher)

...or:

expected: "inactive" got: "failed"

(compared using cmp matcher)

✔ Command: systemctl is-active opa-policy stderr should eq "" ✔ Command: systemctl is-active opa-server exit_status should equal 0 or equal 3 ✔ Command: systemctl is-active opa-server stdout.chomp should cmp == "active" or cmp nil or cmp nil ✔ Command: systemctl is-active opa-server stderr should eq "" ✔ Command: systemctl is-active enforcer exit_status should equal 0 or equal 3 ✔ Command: systemctl is-active enforcer stdout.chomp should cmp == "active" or cmp nil or cmp nil ✔ Command: systemctl is-active enforcer stderr should eq "" ✔ Command: systemctl is-enabled enforcer exit_status should be zero ✔ Command: systemctl is-enabled enforcer stdout.chomp should eq "enabled" ✔ Command: systemctl is-enabled enforcer stderr should eq ""

Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 11 successful, 1 failure, 0 skipped

real-time-enforcer-host: InSpec Runner exited with 1 gcloud: Verifying Skipping profile: 'inspec-gcp' on unsupported platform: 'alpine/3.10.1'.

Profile: real_time_enforcer Version: (not specified) Target: local://

✔ real-time-enforcer-gcloud: Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-enforcer-gcp-jkwd05@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' ✔ Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-enforcer-gcp-jkwd05@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' permits the enforcer to view and enforcer policy ✔ Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-enforcer-gcp-jkwd05@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' exit_status should eq 0 ✔ Command: gcloud organizations get-iam-policy 943740911108 --filter='bindings.members:forseti-enforcer-gcp-jkwd05@ci-forseti-serv-luan.iam.gserviceaccount.com' --flatten='bindings[].members' --format='json(bindings.role)' stderr should eq ""

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped Test Summary: 3 successful, 0 failures, 0 skipped -----> Setting up ... Finished setting up (0m0.00s). -----> Verifying ... $$$$$$ Running command terraform workspace select kitchen-terraform-real-time-enforcer-sinks-local in directory /workspace/test/fixtures/real_time_enforcer_sinks $$$$$$ Running command terraform output -json in directory /workspace/test/fixtures/real_time_enforcer_sinks gcloud: Verifying

Profile: real_time_enforcer_sinks Version: (not specified) Target: local://

✔ sinks: Command: gcloud logging sinks describe real-time-enforcer-log-sink-mj71 --organization 943740911108 --format=json ✔ Command: gcloud logging sinks describe real-time-enforcer-log-sink-mj71 --organization 943740911108 --format=json exports logs to the enforcer topic ✔ Command: gcloud logging sinks describe real-time-enforcer-log-sink-mj71 --organization 943740911108 --format=json includes children logs ✔ Command: gcloud logging sinks describe real-time-enforcer-log-sink-mj71 --organization 943740911108 --format=json exit_status should eq 0 ✔ Command: gcloud logging sinks describe real-time-enforcer-log-sink-mj71 --organization 943740911108 --format=json stderr should eq "" ✔ Command: gcloud logging sinks describe real-time-enforcer-log-sink-4h74 --project ci-forseti-enforcer-62ff --format=json exports logs to the enforcer topic ✔ Command: gcloud logging sinks describe real-time-enforcer-log-sink-4h74 --project ci-forseti-enforcer-62ff --format=json exit_status should eq 0 ✔ Command: gcloud logging sinks describe real-time-enforcer-log-sink-4h74 --project ci-forseti-enforcer-62ff --format=json stderr should eq ""

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped Test Summary: 7 successful, 0 failures, 0 skipped Finished verifying (0m1.88s).

------Exception------- Class: Kitchen::ActionFailed Message: 3 actions failed. Verify failed on instance . Please see .kitchen/logs/simple-example-local.log for more details Verify failed on instance . Please see .kitchen/logs/shared-vpc-local.log for more details Verify failed on instance . Please see .kitchen/logs/real-time-enforcer-local.log for more details

Please see .kitchen/logs/kitchen.log for more details Also try running kitchen diagnose --all for configuration

[morgante]

Are you planning to fix these?

[ingwarr]

@morgante Sure, we will do it

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 15 days if no further activity occurs. Thank you for your contributions.