inspec 4.22.1

data/lib/resources/aws/aws_sns_topic.rb

@@ -0,0 +1,57 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-sns"
+
+class AwsSnsTopic < Inspec.resource(1)
+  name "aws_sns_topic"
+  desc "Verifies settings for an SNS Topic"
+  example <<~EXAMPLE
+    describe aws_sns_topic('arn:aws:sns:us-east-1:123456789012:some-topic') do
+      it { should exist }
+      its('confirmed_subscription_count') { should_not be_zero }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :arn, :confirmed_subscription_count
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:arn],
+      allowed_scalar_name: :arn,
+      allowed_scalar_type: String
+    )
+    # Validate the ARN
+    unless validated_params[:arn] =~ /^arn:aws:sns:[\w\-]+:\d{12}:[\S]+$/
+      raise ArgumentError, "Malformed ARN for SNS topics.  Expected an ARN of the form " \
+                           "'arn:aws:sns:REGION:ACCOUNT-ID:TOPIC-NAME'"
+    end
+    validated_params
+  end
+
+  def fetch_from_api
+    aws_response = BackendFactory.create(inspec_runner).get_topic_attributes(topic_arn: @arn).attributes
+    @exists = true
+
+    # The response has a plain hash with CamelCase plain string keys and string values
+    @confirmed_subscription_count = aws_response["SubscriptionsConfirmed"].to_i
+  rescue Aws::SNS::Errors::NotFound
+    @exists = false
+  end
+
+  # Uses the SDK API to really talk to AWS
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::SNS::Client
+
+      def get_topic_attributes(criteria)
+        aws_service_client.get_topic_attributes(criteria)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_sns_topics.rb

@@ -0,0 +1,60 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-sns"
+
+class AwsSnsTopics < Inspec.resource(1)
+  name "aws_sns_topics"
+  desc "Verifies settings for SNS Topics in bulk"
+  example <<~EXAMPLE
+    describe aws_sns_topics do
+      its('topic_arns') { should include '' }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_sns_topics does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = []
+    pagination_opts = nil
+    catch_aws_errors do
+      loop do
+        api_result = backend.list_topics(pagination_opts)
+        @table += api_result.topics.map(&:to_h)
+        break if api_result.next_token.nil?
+
+        pagination_opts = { next_token: api_result.next_token }
+      end
+    end
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:topic_arns, field: :topic_arn)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "EC2 SNS Topics"
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend self
+      self.aws_client_class = Aws::SNS::Client
+
+      def list_topics(pagination_opts)
+        aws_service_client.list_topics(pagination_opts)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_sqs_queue.rb

@@ -0,0 +1,66 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-sqs"
+
+require "uri"
+
+class AwsSqsQueue < Inspec.resource(1)
+  name "aws_sqs_queue"
+  desc "Verifies settings for an SQS Queue"
+  example <<~EXAMPLE
+    describe aws_sqs_queue('https://sqs.ap-southeast-2.amazonaws.com/519527725796/QueueName') do
+      it { should exist }
+      its('visiblity_timeout') { should be 300}
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :arn, :is_fifo_queue, :visibility_timeout, :maximum_message_size, :message_retention_period, :delay_seconds, :receive_message_wait_timeout_seconds, :content_based_deduplication
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:url],
+      allowed_scalar_name: :url,
+      allowed_scalar_type: String
+    )
+    # Validate the URL
+    unless validated_params[:url] =~ /\A#{URI::DEFAULT_PARSER.make_regexp(%w{https})}\z/
+      raise ArgumentError, "Malformed URL for SQS.  Expected an ARN of the form " \
+                           "'https://sqs.ap-southeast-2.amazonaws.com/111212121/MyQeueue'"
+    end
+    validated_params
+  end
+
+  def fetch_from_api
+    aws_response = BackendFactory.create(inspec_runner).get_queue_attributes(queue_url: @url, attribute_names: ["All"]).attributes
+    @exists = true
+    @visibility_timeout = aws_response["VisibilityTimeout"].to_i
+    @maximum_message_size = aws_response["MaximumMessageSize"].to_i
+    @message_retention_period = aws_response["MessageRetentionPeriod"].to_i
+    @delay_seconds = aws_response["DelaySeconds"].to_i
+    @receive_message_wait_timeout_seconds = aws_response["ReceiveMessageWaitTimeSeconds"].to_i
+
+    # FIFO queues - these attributes only exist for FIFO queues, their presence indicates a FIFO
+    # queue
+    @is_fifo_queue = aws_response["FifoQueue"].nil? ? false : true
+    @content_based_deduplication = aws_response["ContentBasedDeduplication"].nil? ? false : true
+  rescue Aws::SQS::Errors::NonExistentQueue
+    @exists = false
+  end
+
+  # Uses the SDK API to really talk to AWS
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::SQS::Client
+
+      def get_queue_attributes(criteria)
+        aws_service_client.get_queue_attributes(criteria)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_subnet.rb

@@ -0,0 +1,92 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsSubnet < Inspec.resource(1)
+  name "aws_subnet"
+  desc "This resource is used to test the attributes of a VPC subnet"
+  example <<~EXAMPLE
+    describe aws_subnet(subnet_id: 'subnet-12345678') do
+      it { should exist }
+      its('cidr_block') { should eq '10.0.1.0/24' }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :assigning_ipv_6_address_on_creation, :availability_zone, :available_ip_address_count,
+              :available, :cidr_block, :default_for_az, :ipv_6_cidr_block_association_set,
+              :mapping_public_ip_on_launch, :subnet_id, :vpc_id
+  alias available? available
+  alias default_for_az? default_for_az
+  alias mapping_public_ip_on_launch? mapping_public_ip_on_launch
+  alias assigning_ipv_6_address_on_creation? assigning_ipv_6_address_on_creation
+
+  def to_s
+    "VPC Subnet #{@subnet_id}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:subnet_id],
+      allowed_scalar_name: :subnet_id,
+      allowed_scalar_type: String
+    )
+
+    # Make sure the subnet_id parameter was specified and in the correct form.
+    if validated_params.key?(:subnet_id) && validated_params[:subnet_id] !~ /^subnet\-[0-9a-f]{8}/
+      raise ArgumentError, 'aws_subnet Subnet ID must be in the format "subnet-" followed by 8 hexadecimal characters.'
+    end
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide a subnet_id to aws_subnet."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    # Transform into filter format expected by AWS
+    filters = []
+    filters.push({ name: "subnet-id", values: [@subnet_id] })
+    ds_response = backend.describe_subnets(filters: filters)
+
+    # If no subnets exist in the VPC, exist is false.
+    if ds_response.subnets.empty?
+      @exists = false
+      return
+    end
+    @exists = true
+    assign_properties(ds_response)
+  end
+
+  def assign_properties(ds_response)
+    @vpc_id                              = ds_response.subnets[0].vpc_id
+    @subnet_id                           = ds_response.subnets[0].subnet_id
+    @cidr_block                          = ds_response.subnets[0].cidr_block
+    @availability_zone                   = ds_response.subnets[0].availability_zone
+    @available_ip_address_count          = ds_response.subnets[0].available_ip_address_count
+    @default_for_az                      = ds_response.subnets[0].default_for_az
+    @mapping_public_ip_on_launch         = ds_response.subnets[0].map_public_ip_on_launch
+    @available                           = ds_response.subnets[0].state == "available"
+    @ipv_6_cidr_block_association_set    = ds_response.subnets[0].ipv_6_cidr_block_association_set
+    @assigning_ipv_6_address_on_creation = ds_response.subnets[0].assign_ipv_6_address_on_creation
+  end
+
+  # Uses the SDK API to really talk to AWS
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_subnets(query)
+        aws_service_client.describe_subnets(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_subnets.rb

@@ -0,0 +1,56 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsSubnets < Inspec.resource(1)
+  name "aws_subnets"
+  desc "Verifies settings for VPC Subnets in bulk"
+  example <<~EXAMPLE
+    # you should be able to test the cidr_block of a subnet
+    describe aws_subnets.where(vpc_id: 'vpc-123456789') do
+      its('subnet_ids') { should eq ['subnet-12345678', 'subnet-87654321'] }
+      its('cidr_blocks') { should eq ['172.31.96.0/20'] }
+      its('states') { should_not include 'pending' }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_vpc_subnets does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = backend.describe_subnets.subnets.map(&:to_h)
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:vpc_ids, field: :vpc_id)
+    .register_column(:subnet_ids, field: :subnet_id)
+    .register_column(:cidr_blocks, field: :cidr_block)
+    .register_column(:states, field: :state)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "EC2 VPC Subnets"
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend self
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_subnets(query = {})
+        aws_service_client.describe_subnets(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_vpc.rb

@@ -0,0 +1,77 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsVpc < Inspec.resource(1)
+  name "aws_vpc"
+  desc "Verifies settings for AWS VPC"
+  example <<~EXAMPLE
+    describe aws_vpc do
+      it { should be_default }
+      its('cidr_block') { should cmp '10.0.0.0/16' }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+
+  def to_s
+    "VPC #{vpc_id}"
+  end
+
+  attr_reader :cidr_block, :dhcp_options_id, :instance_tenancy, :is_default,
+              :state, :vpc_id
+
+  alias default? is_default
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:vpc_id],
+      allowed_scalar_name: :vpc_id,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.key?(:vpc_id) && validated_params[:vpc_id] !~ /^vpc\-([0-9a-f]{8})|(^vpc\-[0-9a-f]{17})$/
+      raise ArgumentError, 'aws_vpc VPC ID must be in the format "vpc-" followed by 8 or 17 hexadecimal characters.'
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    if @vpc_id.nil?
+      filter = { name: "isDefault", values: ["true"] }
+    else
+      filter = { name: "vpc-id", values: [@vpc_id] }
+    end
+
+    resp = backend.describe_vpcs({ filters: [filter] })
+
+    vpc = resp.vpcs[0].to_h
+    @exists = !vpc.empty?
+    return unless @exists
+
+    @cidr_block = vpc[:cidr_block]
+    @dhcp_options_id = vpc[:dhcp_options_id]
+    @instance_tenancy = vpc[:instance_tenancy]
+    @is_default = vpc[:is_default]
+    @state = vpc[:state]
+    @vpc_id = vpc[:vpc_id]
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_vpcs(query)
+        aws_service_client.describe_vpcs(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_vpcs.rb

@@ -0,0 +1,55 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsVpcs < Inspec.resource(1)
+  name "aws_vpcs"
+  desc "Verifies settings for AWS VPCs in bulk"
+  example <<~EXAMPLE
+    describe aws_vpcs do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:cidr_blocks, field: :cidr_block)
+    .register_column(:vpc_ids, field: :vpc_id)
+  # We need a dummy here, so FilterTable will define and populate the dhcp_options_id field
+  filter.register_column(:dummy, field: :dhcp_options_id)
+    .register_column(:dhcp_options_ids) { |obj| obj.entries.map(&:dhcp_options_id).uniq }
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def validate_params(raw_params)
+    # No params yet
+    unless raw_params.empty?
+      raise ArgumentError, "aws_vpcs does not accept resource parameters"
+    end
+
+    raw_params
+  end
+
+  def to_s
+    "VPCs"
+  end
+
+  def fetch_from_api
+    describe_vpcs_response = BackendFactory.create(inspec_runner).describe_vpcs
+    @table = describe_vpcs_response.to_h[:vpcs].map(&:to_h)
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_vpcs(query = {})
+        aws_service_client.describe_vpcs(query)
+      end
+    end
+  end
+end