google_kms_crypto_key

Use the google_kms_crypto_key InSpec audit resource to test properties of a single GCP KMS crypto key. See this page for useful background.


Syntax

A google_kms_crypto_key resource block declares the tests for a single GCP KMS crypto key by project, location, key ring name and key name.

describe google_kms_crypto_key(project: 'chef-inspec-gcp',   location: 'us-east1',  key_ring_name: 'key-ring', name: 'crypto-key') do
  it { should exist }
end


Examples

The following examples show how to use this InSpec audit resource.

Test that a GCP KMS crypto key was created recently

describe google_kms_crypto_key(project: 'chef-inspec-gcp',   location: 'us-east1',  key_ring_name: 'key-ring', name: 'crypto-key') do
  its('create_time_date') { should be > Time.now - 365*60*60*24*10 }
end

Test when the next rotation time for a GCP KMS crypto key is scheduled

describe google_kms_crypto_key(project: 'chef-inspec-gcp',   location: 'us-east1',  key_ring_name: 'key-ring', name: 'crypto-key') do
  its('next_rotation_time_date') { should be > Time.now - 100000 }
end

Check that the crypto key purpose is as expected

describe google_kms_crypto_key(project: 'chef-inspec-gcp',   location: 'us-east1',  key_ring_name: 'key-ring', name: 'crypto-key') do
  its('purpose') { should eq "ENCRYPT_DECRYPT" }
end

Check that the crypto key primary is in “ENABLED” state

describe google_kms_crypto_key(project: 'chef-inspec-gcp',   location: 'us-east1',  key_ring_name: 'key-ring', name: 'crypto-key') do
  its('primary_state') { should eq "ENABLED" }
end


Properties

  • create_time, create_time_date, name, crypto_key_name, crypto_key_url, next_rotation_time, next_rotation_time_date, primary_create_time, primary_create_time_date, primary_name, primary_state, purpose, rotation_period


GCP Permissions

Ensure the Cloud Key Management Service (KMS) API is enabled for the project where the resource is located.