Migrating Google SDK resources to REST Apis

Gemfile

@@ -2,7 +2,7 @@ source 'https://rubygems.org'
 
 gem 'bundle'
 gem 'faraday', '>= 0.16.2'
-gem 'google-api-client'
+# gem 'google-api-client'
 gem 'google-cloud'
 gem 'googleauth'
 # we are pinning to inspec-core-bin below 6.0 to avoid bringing licensing change in the CI

libraries/google_kms_crypto_key_iam_bindings.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: true
+# frozen_string_literal: false
 
 require 'gcp_backend'
 
@@ -12,28 +12,42 @@ class GoogleKMSCryptoKeyIAMBindings < GcpResourceBase
         it { should exist }
       end
     "
-
-    def initialize(opts = {})
-      # Call the parent class constructor
-      super(opts)
-      @crypto_key_url = opts[:crypto_key_url]
-    end
+    attr_reader :params
+    attr_reader :table
 
     # FilterTable setup
     filter_table_config = FilterTable.create
     filter_table_config.add(:iam_binding_roles, field: :iam_binding_role)
-    filter_table_config.connect(self, :fetch_data)
+    filter_table_config.connect(self, :table)
 
-    def fetch_data
+    def initialize(params = {})
+      # Call the parent class constructor
+      super(params.merge({ use_http_transport: true }))
+      @crypto_key_url = params[:crypto_key_url]
+      @params = params
+      @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get')
+      parse unless @fetched.nil?
+    end
+
+    def parse
       iam_binding_rows = []
-      catch_gcp_errors do
-        @iam_bindings = @gcp.gcp_client(Google::Apis::CloudkmsV1::CloudKMSService).get_project_location_key_ring_crypto_key_iam_policy(@crypto_key_url)
-      end
-      return [] if !@iam_bindings || !@iam_bindings.bindings
-      @iam_bindings.bindings.map do |iam_binding|
+      return [] if !@fetched || !@fetched['bindings']
+      @iam_bindings = GoogleInSpec::Iam::Property::IamPolicyBindingsArray.parse(@fetched['bindings'], to_s)
+
+      @iam_bindings.map do |iam_binding|
         iam_binding_rows+=[{ iam_binding_role: iam_binding.role }]
       end
       @table = iam_binding_rows
     end
+
+    private
+
+    def product_url
+      'https://cloudkms.googleapis.com/v1/'
+    end
+
+    def resource_base_url
+      '{{crypto_key_url}}:getIamPolicy'
+    end
   end
 end

libraries/google_kms_key_ring_iam_bindings.rb

@@ -1,8 +1,7 @@
-# frozen_string_literal: true
+# frozen_string_literal: false
 
 require 'gcp_backend'
 require 'time'
-require 'google/apis/cloudkms_v1'
 
 module Inspec::Resources
   class GoogleKMSKeyRingIAMBindings < GcpResourceBase
@@ -14,28 +13,41 @@ class GoogleKMSKeyRingIAMBindings < GcpResourceBase
         it { should exist }
       end
     "
+    attr_reader :params
+    attr_reader :table
 
-    def initialize(opts = {})
+    def initialize(params = {})
       # Call the parent class constructor
-      super(opts)
-      @key_ring_url = opts[:key_ring_url]
+      super(params.merge({ use_http_transport: true }))
+      @key_ring_url = params[:key_ring_url]
+      @params = params
+      @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get')
+      parse unless @fetched.nil?
     end
 
     # FilterTable setup
     filter_table_config = FilterTable.create
     filter_table_config.add(:iam_binding_roles, field: :iam_binding_role)
-    filter_table_config.connect(self, :fetch_data)
+    filter_table_config.connect(self, :table)
 
-    def fetch_data
+    def parse
       iam_binding_rows = []
-      catch_gcp_errors do
-        @iam_bindings = @gcp.gcp_client(Google::Apis::CloudkmsV1::CloudKMSService).get_project_location_key_ring_iam_policy(@key_ring_url)
-      end
-      return [] if !@iam_bindings || !@iam_bindings.bindings
-      @iam_bindings.bindings.map do |iam_binding|
+      return [] if !@fetched || !@fetched['bindings']
+      @iam_bindings = GoogleInSpec::Iam::Property::IamPolicyBindingsArray.parse(@fetched['bindings'], to_s)
+      @iam_bindings.map do |iam_binding|
         iam_binding_rows+=[{ iam_binding_role: iam_binding.role }]
       end
       @table = iam_binding_rows
     end
+
+    private
+
+    def product_url
+      'https://cloudkms.googleapis.com/v1/'
+    end
+
+    def resource_base_url
+      '{{key_ring_url}}:getIamPolicy'
+    end
   end
 end

libraries/google_project_alert_policy_condition.rb

@@ -1,7 +1,6 @@
-# frozen_string_literal: true
+# frozen_string_literal: false
 
 require 'gcp_backend'
-require 'google/apis/monitoring_v3'
 
 module Inspec::Resources
   class GoogleProjectAlertPolicyCondition < GcpResourceBase
@@ -14,24 +13,23 @@ class GoogleProjectAlertPolicyCondition < GcpResourceBase
       end
     "
 
-    def initialize(opts = {})
+    def initialize(params = {})
       # Call the parent class constructor
-      super(opts)
-      @filter = opts[:filter]
-      @policy = opts[:policy]
-      catch_gcp_errors do
-        @policy_result = @gcp.gcp_client(Google::Apis::MonitoringV3::MonitoringService).get_project_alert_policy(@policy)
-        @condition = condition_for_filter(@filter)
-      end
+      super(params.merge({ use_http_transport: true }))
+      @filter = params[:filter]
+      @policy = params[:name]
+      @fetched = @connection.fetch(product_url, resource_base_url, params, 'Get')
+      @condition = condition_for_filter(@filter)
     end
 
     def exists?
       [email protected]?
     end
 
     def condition_for_filter(filter)
-      return nil if !defined?(@policy_result.conditions) || @policy_result.conditions.nil?
-      @policy_result.conditions.each do |condition|
+      @policy_result = GoogleInSpec::Monitoring::Property::AlertPolicyConditionsArray.parse(@fetched['conditions'], to_s)
+      return nil if !defined?(@policy_result) || @policy_result.nil?
+      @policy_result.each do |condition|
         next if !defined?(condition.condition_threshold.filter) || condition.condition_threshold.filter.nil?
         return condition if condition.condition_threshold.filter == filter
       end
@@ -61,5 +59,15 @@ def aggregation_cross_series_reducer
     def to_s
       "Alert Policy Condition #{@policy} \"#{@filter}\""
     end
+
+    private
+
+    def product_url(_ = nil)
+      'https://monitoring.googleapis.com/v3/'
+    end
+
+    def resource_base_url
+      '{{name}}'
+    end
   end
 end

libraries/google_project_iam_binding.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: true
+# frozen_string_literal: false
 
 require 'gcp_backend'
 
@@ -12,23 +12,24 @@ class GoogleProjectIAMBinding < GcpResourceBase
         it { should exist }
       end
     "
+    attr_reader :params
 
-    def initialize(opts = {})
+    def initialize(params = {})
       # Call the parent class constructor
-      super(opts)
-      @project = opts[:project]
-      @role = opts[:role]
+      super(params.merge({ use_http_transport: true }))
+      @project = params[:project]
+      @params = params
+      @role = params[:role]
       @iam_binding_exists = false
       @members_list=[]
-      catch_gcp_errors do
-        # NOTE: this is the same call as for the plural iam_bindings resource because there isn't an easy way to pull out a singular binding
-        @iam_bindings = @gcp.gcp_project_client.get_project_iam_policy(@project)
-        raise Inspec::Exceptions::ResourceFailed, "google_project_iam_binding is missing expected IAM policy 'bindings' property" if !@iam_bindings || !@iam_bindings.bindings
-        @iam_bindings.bindings.each do |binding|
-          next if binding.role != @role
-          @iam_binding_exists=true
-          @members_list=binding.members
-        end
+      # NOTE: this is the same call as for the plural iam_bindings resource because there isn't an easy way to pull out a singular binding
+      @fetched = @connection.fetch(product_url, resource_base_url, params, 'Post')
+      @bindings = GoogleInSpec::Iam::Property::IamPolicyBindingsArray.parse(@fetched['bindings'], to_s)
+      raise Inspec::Exceptions::ResourceFailed, "google_project_iam_binding is missing expected IAM policy 'bindings' property" if !@bindings
+      @bindings.each do |binding|
+        next if binding.role != @role.to_s
+        @iam_binding_exists=true
+        @members_list=binding.members
       end
     end
 
@@ -44,5 +45,15 @@ def exists?
     def to_s
       "Project IAM Binding #{@role}"
     end
+
+    private
+
+    def product_url
+      'https://cloudresourcemanager.googleapis.com/v1/'
+    end
+
+    def resource_base_url
+      'projects/{{project}}:getIamPolicy'
+    end
   end
 end

libraries/google_project_iam_bindings.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: true
+# frozen_string_literal: false
 
 require 'gcp_backend'
 
@@ -13,28 +13,51 @@ class GoogleProjectIAMBindings < GcpResourceBase
         ...
       end
     "
+    attr_reader :params
+    attr_reader :table
 
-    def initialize(opts = {})
+    def initialize(params = {})
       # Call the parent class constructor
-      super(opts)
-      @project = opts[:project]
+      super(params.merge({ use_http_transport: true }))
+      @params = params
+      @project = params[:project]
+      @iam_binding_exists = false
+      @fetched = @connection.fetch(product_url, resource_base_url, params, 'Post')
+      parse unless @fetched.nil?
     end
 
     # FilterTable setup
     filter_table_config = FilterTable.create
     filter_table_config.add(:iam_binding_roles, field: :iam_binding_role)
-    filter_table_config.connect(self, :fetch_data)
+    filter_table_config.connect(self, :table)
 
-    def fetch_data
+    def parse
       iam_binding_rows = []
-      catch_gcp_errors do
-        @iam_bindings = @gcp.gcp_project_client.get_project_iam_policy(@project)
-      end
-      return [] if !@iam_bindings || !@iam_bindings.bindings
-      @iam_bindings.bindings.map do |iam_binding|
+      @bindings = GoogleInSpec::Iam::Property::IamPolicyBindingsArray.parse(@fetched['bindings'], to_s)
+      return [] if !@bindings
+      @bindings.map do |iam_binding|
         iam_binding_rows+=[{ iam_binding_role: iam_binding.role }]
       end
+      @iam_binding_exists=true
       @table = iam_binding_rows
     end
+
+    def exists?
+      @iam_binding_exists
+    end
+
+    def to_s
+      "Project IAM Binding #{@role}"
+    end
+
+    private
+
+    def product_url
+      'https://cloudresourcemanager.googleapis.com/v1/'
+    end
+
+    def resource_base_url
+      'projects/{{project}}:getIamPolicy'
+    end
   end
 end

libraries/google_project_logging_audit_config.rb

@@ -1,4 +1,4 @@
-# frozen_string_literal: true
+# frozen_string_literal: false
 
 require 'gcp_backend'
 
@@ -12,29 +12,29 @@ class GoogleProjectLoggingAuditConfig < GcpResourceBase
         it { should exist }
       end
     "
+    attr_reader :params
 
-    def initialize(opts = {})
+    def initialize(params = {})
       # Call the parent class constructor
-      super(opts)
-      @project = opts[:project]
-      catch_gcp_errors do
-        @audit_logging_configs = @gcp.gcp_project_client.get_project_iam_policy(@project)
-        @default_types = []
-        @default_exempted_members = {}
-        if defined?(@audit_logging_configs.audit_configs) && @audit_logging_configs.audit_configs.instance_of?(::Array)
-          @audit_logging_configs.audit_configs.each do |service_config|
-            next if service_config.service != 'allServices'
-            service_config.audit_log_configs.each do |config|
-              @default_types+=[config.log_type]
-              @default_exempted_members[config.log_type]=config.exempted_members if defined?(config.exempted_members) && !config.exempted_members.nil?
-            end
-          end
+      super(params.merge({ use_http_transport: true }))
+      @project = params[:project]
+      @fetched = @connection.fetch(product_url, resource_base_url, params, 'Post')
+      @default_types = []
+      @default_exempted_members = {}
+      return unless defined?(@fetched['auditConfigs']) && @fetched['auditConfigs'].instance_of?(::Array)
+      @audit_logging_configs = GoogleInSpec::Iam::Property::IamPolicyAuditConfigsArray.parse(@fetched['auditConfigs'], to_s)
+
+      @audit_logging_configs.each do |service_config|
+        next if service_config.service != 'allServices'
+        service_config.audit_log_configs.each do |config|
+          @default_types+=[config.log_type]
+          @default_exempted_members[config.log_type]=config.exempted_members if defined?(config.exempted_members) && !config.exempted_members.nil?
         end
       end
     end
 
     def exists?
-      defined?(@audit_logging_configs.audit_configs) && !@audit_logging_configs.audit_configs.nil?
+      defined?(@audit_logging_configs) && !@audit_logging_configs.nil?
     end
 
     attr_reader :default_types
@@ -48,5 +48,15 @@ def has_default_exempted_members?
     def to_s
       "Logging Audit Config For #{@project}"
     end
+
+    private
+
+    def product_url
+      'https://cloudresourcemanager.googleapis.com/v1/'
+    end
+
+    def resource_base_url
+      'projects/{{project}}:getIamPolicy'
+    end
   end
 end