search

inspec / inspec-gcp

InSpec GCP (Google Cloud Platform) Resource Pack
https://www.inspec.io/
Other
148 stars 72 forks source link

google_compute_instance Unexpected token at "not found" ? #72

Open walterdolce opened 5 years ago

walterdolce commented 5 years ago

I'm trying to verify whether a GCE instance exists with the following control:

gcp_project = attribute('gcp_project')

control 'gcp-resources' do
  impact 1.0
  title 'Verify the state of the GCP resources'

  describe google_compute_instance(project: gcp_project,  name: 'my-instance') do
    it { should exist }
    its('status') { should eq 'RUNNING' }
    its('zone') { should eq 'europe-west2-a' }
  end
end

But when I launch it I get the following:

×  gcp-resources: Verify the state of the GCP resources
     ×  Control Source Code Error ./inspec-profile/controls/gcp-resources.rb:4
     765: unexpected token at 'Not Found'

What does that mean?

walterdolce commented 5 years ago

FYI

I have already set the GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to my application_default_credentials.json file.

walterdolce commented 5 years ago

InSpec version in use is 0.6.0

skpaterson commented 5 years ago

hi @walterdolce - as a first step, could you retry updating your top level inspec.yml to a later InSpec version e.g. 

inspec_version: '>= 2.2.10'

There's a minimal version specified in inspec-gcp however https://github.com/inspec/inspec/issues/3066 means that it might not be respected.

walterdolce commented 5 years ago

@skpaterson It appears I was missing the zone parameter in the test.

With the following, it kind of works:

  describe google_compute_instance(project: gcp_project, zone: 'europe-west2-a',  name: 'my-instance') do

Result:

×  gcp-resources: Verify the state of the GCP resources (1 failed)
     ✔  Instance should exist
     ✔  Instance status should eq "RUNNING"
     ×  Instance zone should eq "europe-west2-a"

     expected: "europe-west2-a"
          got: "https://www.googleapis.com/compute/v1/projects/{{gcp_project}}/zones/europe-west2-a"

     (compared using ==)
walterdolce commented 5 years ago

This leads me to ask 2 questions:

1) Shouldn't Inspec GCP explicitly state that a certain resource parameter which is expected is missing? 2) It appears either the code or the docs are lying. The docs state that you can specify the zone name but as in the result above, the full GCP API URI is returned 🤔 Is this a bug in the code or in the docs?

Thanks!

skpaterson commented 5 years ago

Thanks for confirming that. For 1 above I'll add a TODO this side to improve checks on required parameters and fail more meaningfully!

For 2, so the docs read:

  its('zone') { should match 'us-east1-b' }

Note match not eq. In some cases the resources will create helper functions to only return short names but here I was erring on the side of not curtailing the information returned via the API.

walterdolce commented 5 years ago

For 2, so the docs read [...] Note match not eq.

Of course! Silly me. Thanks for pointing that out @skpaterson :)

I guess we'll leave this issue open until the docs/code are updated (re: question 1 earlier)

skpaterson commented 5 years ago

Makes sense, thanks @walterdolce