This repository contains the Chef's InSpec profiles (Compliance as a Code) for Auditing the resources deployed on Public Cloud Platforms.
Below prerequisites must be fulfilled for the successful execution of Chef's InSpec Compliance Profiles to audit your resources.
Resources in this repository are meant to use with Chef's InSpec 4.3.2 (check the inspec version using: inspec version). If you don't have the compatible version, download it from official Chef repository.
Option-01: If you are using terraform on your workstation, you can authenticate using User Application Default Credentials ("ADCs").
gcloud auth application-default loginOption-02: You can create a Service Account and use service account key for authentication.
gcloud auth activate-service-account --key-file project-credentials.jsonNote
Whatever option you choose, make sure the identities have the scopes appropriate for your needs (Get/List). Access can be fine-grained to follow the principle of least privilege (PoLP). InSpec GCP resource pack is required to check the GCP resources against the InSpec controls.
To execute the InSpec profiles against your resources (in our case, gcp is the target component), go to command prompt and then run the following commands:
- [Required]
inspec init profile --platform gcp my-gcp-profile# To initialize the profile directory structure and then modify accordingly. - [Optional]
inspec detect -t gcp://# To verify the credentials. - [Required]
inspec exec . -t gcp:// --input-file attributes.yml# To execute the profiles with the required inputs/attributes.
Tip
RuboCop can be used as linter for the ruby files to format.