Check DNSSEC key signing only for public dns zones (#69)

Author: KonradSchieban

controls/3.04-networking.rb

@@ -49,8 +49,12 @@
   else
     managed_zone_names.each do |dnszone|
       zone = google_dns_managed_zone(project: gcp_project_id, zone: dnszone)
-
-      if zone.dnssec_config.state == 'on'
+      if zone.visibility == 'private'
+        impact 'none'
+        describe "[#{gcp_project_id}] DNS zone #{dnszone} has private visibility. This test is not applicable for private zones." do
+          skip "[#{gcp_project_id}] DNS zone #{dnszone} has private visibility."
+        end
+      elsif zone.dnssec_config.state == 'on'
         zone.dnssec_config.default_key_specs.select { |spec| spec.key_type == 'keySigning' }.each do |spec|
           describe "[#{gcp_project_id}] DNS Zone [#{dnszone}] with DNSSEC key-signing" do
             subject { spec }

controls/3.05-networking.rb

@@ -49,8 +49,12 @@
   else
     managed_zone_names.each do |dnszone|
       zone = google_dns_managed_zone(project: gcp_project_id, zone: dnszone)
-
-      if zone.dnssec_config.state == 'on'
+      if zone.visibility == 'private'
+        impact 'none'
+        describe "[#{gcp_project_id}] DNS zone #{dnszone} has private visibility. This test is not applicable for private zones." do
+          skip "[#{gcp_project_id}] DNS zone #{dnszone} has private visibility."
+        end
+      elsif zone.dnssec_config.state == 'on'
         zone.dnssec_config.default_key_specs.select { |spec| spec.key_type == 'zoneSigning' }.each do |spec|
           describe "[#{gcp_project_id}] DNS Zone [#{dnszone}] with DNSSEC zone-signing" do
             subject { spec }

inspec.yml

@@ -19,7 +19,7 @@ copyright: "(c) 2020, Google, Inc."
 copyright_email: "[email protected]"
 license: "Apache-2.0"
 summary: "Inspec Google Cloud Platform Center for Internet Security Benchmark v1.1 Profile"
-version: 1.1.0-21
+version: 1.1.0-22
 
 supports:
   - platform: gcp