The recently released InSpec 3 expands the developer ecosystem for compliance-as-code through plugins, integrations, and other new capabilities. This post will outline some of the ways that InSpec brings compliance-as-code to Google Cloud Platform (GCP). InSpec 3 includes fully supported platform support for GCP and premium content in Chef Automate for the Center for Internet Security (CIS) benchmarks for GCP. Chef is proud to be the first vendor to be certified by CIS for the GCP benchmarks.
Many companies are experiencing increasing demand for speed that is colliding with increases in security and regulatory pressures. CIOs are migrating to cloud environments, like GCP, to help improve business agility and security. Google fully understands the security implications of the cloud model and works with companies to ensure a strong approach to security and compliance for GCP.
InSpec helps disambiguate compliance requirements by expressing those requirements as code so that everyone involved in security, no matter their role, can understand what exactly constitutes compliance.
InSpec’s resource packs allow users to extend this approach to the cloud. As an example, the GCP Resource Pack can make assertions about a single GCP network configuration:
describe google_compute_network(project: gcp_project_id, name: 'foo') do
it { should exist }
its('name') { should eq 'foo' }
its('subnetworks.count') { should eq 1 }
its('subnetworks.first') { should match 'bar' }
its('routing_config.routing_mode') { should eq 'REGIONAL' }
its('auto_create_subnetworks') { should be false }
end
The GCP Resource Pack includes dozens of resources in addition to the google_compute_network resource from the sample code shown above. Use these resources to evaluate all aspects of GCP configuration.
Using the Google Cloud Platform Resource Pack with Chef Automate
The GCP platform support is bundled with Chef Automate 2 (beginning with version 20181011135231). Chef Automate’s cloud scanner can assess and track the compliance of all infrastructure deployed into Google Cloud.
Connect Automate to a GCP project by entering the JSON credentials in the Node Integrations screen. The Node management for Google Cloud is currently in open beta and can be accessed by typing “beta” anywhere on the node integration screen.
The combination of node integration, Chef Client-driven InSpec scans, and agentless InSpec scans over SSH or WinRM provide Chef Automate with a full view of compliance across any GCP project.
Get Started Today
Add these lines to any InSpec profile’s inspec.yml to use the resources in the GCP Resource Pack.
depends: - name: inspec-gcp url: https://github.com/inspec/inspec-gcp/archive/master.tar.gz supports: - platform: gcp
Sign-up for a free trial of Chef Automate to evaluate the resource pack and the CIS Benchmarks for Google Cloud Platform.
Want to learn more? Take this self-guided training on InSpec and then use this deep dive on InSpec GCP.
