inspec 2.1.30 → 2.1.43

Sign up to get free protection for your applications and to get access to all the features.
Files changed (503) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +0 -0
  3. data/CHANGELOG.md +39 -18
  4. data/Gemfile +0 -0
  5. data/LICENSE +0 -0
  6. data/MAINTAINERS.md +0 -0
  7. data/MAINTAINERS.toml +0 -0
  8. data/README.md +2 -2
  9. data/Rakefile +4 -2
  10. data/docs/.gitignore +0 -0
  11. data/docs/README.md +0 -0
  12. data/docs/dsl_inspec.md +0 -0
  13. data/docs/dsl_resource.md +0 -0
  14. data/docs/glossary.md +0 -0
  15. data/docs/habitat.md +0 -0
  16. data/docs/inspec_and_friends.md +0 -0
  17. data/docs/matchers.md +0 -0
  18. data/docs/migration.md +0 -0
  19. data/docs/platforms.md +0 -0
  20. data/docs/plugin_kitchen_inspec.md +0 -0
  21. data/docs/profiles.md +2 -0
  22. data/docs/reporters.md +0 -0
  23. data/docs/resources/aide_conf.md.erb +0 -0
  24. data/docs/resources/apache.md.erb +0 -0
  25. data/docs/resources/apache_conf.md.erb +0 -0
  26. data/docs/resources/apt.md.erb +0 -0
  27. data/docs/resources/audit_policy.md.erb +0 -0
  28. data/docs/resources/auditd.md.erb +0 -0
  29. data/docs/resources/auditd_conf.md.erb +0 -0
  30. data/docs/resources/aws_cloudtrail_trail.md.erb +9 -0
  31. data/docs/resources/aws_cloudtrail_trails.md.erb +0 -0
  32. data/docs/resources/aws_cloudwatch_alarm.md.erb +1 -1
  33. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +0 -0
  34. data/docs/resources/aws_config_delivery_channel.md +0 -0
  35. data/docs/resources/aws_config_recorder.md.erb +0 -0
  36. data/docs/resources/aws_ec2_instance.md.erb +0 -0
  37. data/docs/resources/aws_iam_access_key.md.erb +0 -0
  38. data/docs/resources/aws_iam_access_keys.md.erb +0 -0
  39. data/docs/resources/aws_iam_group.md.erb +12 -0
  40. data/docs/resources/aws_iam_groups.md.erb +0 -0
  41. data/docs/resources/aws_iam_password_policy.md.erb +0 -0
  42. data/docs/resources/aws_iam_policies.md.erb +0 -0
  43. data/docs/resources/aws_iam_policy.md.erb +99 -4
  44. data/docs/resources/aws_iam_role.md.erb +0 -0
  45. data/docs/resources/aws_iam_root_user.md.erb +2 -2
  46. data/docs/resources/aws_iam_user.md.erb +0 -0
  47. data/docs/resources/aws_iam_users.md.erb +0 -0
  48. data/docs/resources/aws_kms_key.md.erb +0 -0
  49. data/docs/resources/aws_kms_keys.md.erb +0 -0
  50. data/docs/resources/aws_rds_instance.md.erb +0 -0
  51. data/docs/resources/aws_route_table.md.erb +0 -0
  52. data/docs/resources/aws_route_tables.md.erb +0 -0
  53. data/docs/resources/aws_s3_bucket.md.erb +0 -0
  54. data/docs/resources/aws_s3_bucket_object.md.erb +0 -0
  55. data/docs/resources/aws_s3_buckets.md.erb +0 -0
  56. data/docs/resources/aws_security_group.md.erb +160 -21
  57. data/docs/resources/aws_security_groups.md.erb +0 -0
  58. data/docs/resources/aws_sns_subscription.md.erb +0 -0
  59. data/docs/resources/aws_sns_topic.md.erb +0 -0
  60. data/docs/resources/aws_sns_topics.md.erb +0 -0
  61. data/docs/resources/aws_subnet.md.erb +0 -0
  62. data/docs/resources/aws_subnets.md.erb +0 -0
  63. data/docs/resources/aws_vpc.md.erb +0 -0
  64. data/docs/resources/aws_vpcs.md.erb +73 -2
  65. data/docs/resources/azure_generic_resource.md.erb +0 -0
  66. data/docs/resources/azure_resource_group.md.erb +0 -0
  67. data/docs/resources/azure_virtual_machine.md.erb +0 -0
  68. data/docs/resources/azure_virtual_machine_data_disk.md.erb +0 -0
  69. data/docs/resources/bash.md.erb +0 -0
  70. data/docs/resources/bond.md.erb +0 -0
  71. data/docs/resources/bridge.md.erb +0 -0
  72. data/docs/resources/bsd_service.md.erb +0 -0
  73. data/docs/resources/chocolatey_package.md.erb +0 -0
  74. data/docs/resources/command.md.erb +0 -0
  75. data/docs/resources/cpan.md.erb +0 -0
  76. data/docs/resources/cran.md.erb +0 -0
  77. data/docs/resources/crontab.md.erb +0 -0
  78. data/docs/resources/csv.md.erb +0 -0
  79. data/docs/resources/dh_params.md.erb +0 -0
  80. data/docs/resources/directory.md.erb +0 -0
  81. data/docs/resources/docker.md.erb +0 -0
  82. data/docs/resources/docker_container.md.erb +0 -0
  83. data/docs/resources/docker_image.md.erb +0 -0
  84. data/docs/resources/docker_service.md.erb +0 -0
  85. data/docs/resources/elasticsearch.md.erb +0 -0
  86. data/docs/resources/etc_fstab.md.erb +0 -0
  87. data/docs/resources/etc_group.md.erb +0 -0
  88. data/docs/resources/etc_hosts.md.erb +0 -0
  89. data/docs/resources/etc_hosts_allow.md.erb +0 -0
  90. data/docs/resources/etc_hosts_deny.md.erb +0 -0
  91. data/docs/resources/file.md.erb +0 -0
  92. data/docs/resources/filesystem.md.erb +1 -1
  93. data/docs/resources/firewalld.md.erb +0 -0
  94. data/docs/resources/gem.md.erb +0 -0
  95. data/docs/resources/group.md.erb +0 -0
  96. data/docs/resources/grub_conf.md.erb +0 -0
  97. data/docs/resources/host.md.erb +0 -0
  98. data/docs/resources/http.md.erb +0 -0
  99. data/docs/resources/iis_app.md.erb +0 -0
  100. data/docs/resources/iis_site.md.erb +0 -0
  101. data/docs/resources/inetd_conf.md.erb +0 -0
  102. data/docs/resources/ini.md.erb +0 -0
  103. data/docs/resources/interface.md.erb +0 -0
  104. data/docs/resources/iptables.md.erb +0 -0
  105. data/docs/resources/json.md.erb +0 -0
  106. data/docs/resources/kernel_module.md.erb +0 -0
  107. data/docs/resources/kernel_parameter.md.erb +0 -0
  108. data/docs/resources/key_rsa.md.erb +0 -0
  109. data/docs/resources/launchd_service.md.erb +0 -0
  110. data/docs/resources/limits_conf.md.erb +0 -0
  111. data/docs/resources/login_defs.md.erb +0 -0
  112. data/docs/resources/mount.md.erb +0 -0
  113. data/docs/resources/mssql_session.md.erb +0 -0
  114. data/docs/resources/mysql_conf.md.erb +0 -0
  115. data/docs/resources/mysql_session.md.erb +0 -0
  116. data/docs/resources/nginx.md.erb +0 -0
  117. data/docs/resources/nginx_conf.md.erb +0 -0
  118. data/docs/resources/npm.md.erb +0 -0
  119. data/docs/resources/ntp_conf.md.erb +0 -0
  120. data/docs/resources/oneget.md.erb +0 -0
  121. data/docs/resources/oracledb_session.md.erb +0 -0
  122. data/docs/resources/os.md.erb +0 -0
  123. data/docs/resources/os_env.md.erb +0 -0
  124. data/docs/resources/package.md.erb +4 -4
  125. data/docs/resources/packages.md.erb +0 -0
  126. data/docs/resources/parse_config.md.erb +0 -0
  127. data/docs/resources/parse_config_file.md.erb +0 -0
  128. data/docs/resources/passwd.md.erb +0 -0
  129. data/docs/resources/pip.md.erb +0 -0
  130. data/docs/resources/port.md.erb +0 -0
  131. data/docs/resources/postgres_conf.md.erb +0 -0
  132. data/docs/resources/postgres_hba_conf.md.erb +0 -0
  133. data/docs/resources/postgres_ident_conf.md.erb +0 -0
  134. data/docs/resources/postgres_session.md.erb +0 -0
  135. data/docs/resources/powershell.md.erb +0 -0
  136. data/docs/resources/processes.md.erb +0 -0
  137. data/docs/resources/rabbitmq_config.md.erb +0 -0
  138. data/docs/resources/registry_key.md.erb +0 -0
  139. data/docs/resources/runit_service.md.erb +0 -0
  140. data/docs/resources/security_policy.md.erb +0 -0
  141. data/docs/resources/service.md.erb +0 -0
  142. data/docs/resources/shadow.md.erb +0 -0
  143. data/docs/resources/ssh_config.md.erb +0 -0
  144. data/docs/resources/sshd_config.md.erb +0 -0
  145. data/docs/resources/ssl.md.erb +0 -0
  146. data/docs/resources/sys_info.md.erb +0 -0
  147. data/docs/resources/systemd_service.md.erb +0 -0
  148. data/docs/resources/sysv_service.md.erb +0 -0
  149. data/docs/resources/upstart_service.md.erb +0 -0
  150. data/docs/resources/user.md.erb +0 -0
  151. data/docs/resources/users.md.erb +0 -0
  152. data/docs/resources/vbscript.md.erb +0 -0
  153. data/docs/resources/virtualization.md.erb +0 -0
  154. data/docs/resources/windows_feature.md.erb +0 -0
  155. data/docs/resources/windows_hotfix.md.erb +0 -0
  156. data/docs/resources/windows_task.md.erb +0 -0
  157. data/docs/resources/wmi.md.erb +0 -0
  158. data/docs/resources/x509_certificate.md.erb +0 -0
  159. data/docs/resources/xinetd_conf.md.erb +0 -0
  160. data/docs/resources/xml.md.erb +0 -0
  161. data/docs/resources/yaml.md.erb +0 -0
  162. data/docs/resources/yum.md.erb +0 -0
  163. data/docs/resources/zfs_dataset.md.erb +0 -0
  164. data/docs/resources/zfs_pool.md.erb +0 -0
  165. data/docs/ruby_usage.md +0 -0
  166. data/docs/shared/matcher_be.md.erb +0 -0
  167. data/docs/shared/matcher_cmp.md.erb +0 -0
  168. data/docs/shared/matcher_eq.md.erb +0 -0
  169. data/docs/shared/matcher_include.md.erb +0 -0
  170. data/docs/shared/matcher_match.md.erb +0 -0
  171. data/docs/shell.md +0 -0
  172. data/examples/README.md +0 -0
  173. data/examples/inheritance/README.md +0 -0
  174. data/examples/inheritance/controls/example.rb +0 -0
  175. data/examples/inheritance/inspec.yml +0 -0
  176. data/examples/kitchen-ansible/.kitchen.yml +0 -0
  177. data/examples/kitchen-ansible/Gemfile +0 -0
  178. data/examples/kitchen-ansible/README.md +0 -0
  179. data/examples/kitchen-ansible/files/nginx.repo +0 -0
  180. data/examples/kitchen-ansible/tasks/main.yml +0 -0
  181. data/examples/kitchen-ansible/test/integration/default/default.yml +0 -0
  182. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +0 -0
  183. data/examples/kitchen-chef/.kitchen.yml +0 -0
  184. data/examples/kitchen-chef/Berksfile +0 -0
  185. data/examples/kitchen-chef/Gemfile +0 -0
  186. data/examples/kitchen-chef/README.md +0 -0
  187. data/examples/kitchen-chef/metadata.rb +0 -0
  188. data/examples/kitchen-chef/recipes/default.rb +0 -0
  189. data/examples/kitchen-chef/recipes/nginx.rb +0 -0
  190. data/examples/kitchen-chef/test/integration/default/web_spec.rb +0 -0
  191. data/examples/kitchen-puppet/.kitchen.yml +0 -0
  192. data/examples/kitchen-puppet/Gemfile +0 -0
  193. data/examples/kitchen-puppet/Puppetfile +0 -0
  194. data/examples/kitchen-puppet/README.md +0 -0
  195. data/examples/kitchen-puppet/manifests/site.pp +0 -0
  196. data/examples/kitchen-puppet/metadata.json +0 -0
  197. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +0 -0
  198. data/examples/meta-profile/README.md +0 -0
  199. data/examples/meta-profile/controls/example.rb +0 -0
  200. data/examples/meta-profile/inspec.yml +0 -0
  201. data/examples/profile-attribute.yml +0 -0
  202. data/examples/profile-attribute/README.md +0 -0
  203. data/examples/profile-attribute/controls/example.rb +0 -0
  204. data/examples/profile-attribute/inspec.yml +0 -0
  205. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +0 -0
  206. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +0 -0
  207. data/examples/profile-aws/controls/iam_root_user_mfa.rb +0 -0
  208. data/examples/profile-aws/controls/iam_users_access_key_age.rb +0 -0
  209. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +0 -0
  210. data/examples/profile-aws/inspec.yml +0 -0
  211. data/examples/profile-azure/controls/azure_resource_group_example.rb +0 -0
  212. data/examples/profile-azure/controls/azure_vm_example.rb +0 -0
  213. data/examples/profile-azure/inspec.yml +0 -0
  214. data/examples/profile-sensitive/README.md +0 -0
  215. data/examples/profile-sensitive/controls/sensitive-failures.rb +0 -0
  216. data/examples/profile-sensitive/controls/sensitive.rb +0 -0
  217. data/examples/profile-sensitive/inspec.yml +0 -0
  218. data/examples/profile/README.md +0 -0
  219. data/examples/profile/controls/example.rb +0 -0
  220. data/examples/profile/controls/gordon.rb +0 -0
  221. data/examples/profile/controls/meta.rb +0 -0
  222. data/examples/profile/inspec.yml +0 -0
  223. data/examples/profile/libraries/gordon_config.rb +0 -0
  224. data/inspec.gemspec +1 -1
  225. data/lib/bundles/README.md +0 -0
  226. data/lib/bundles/inspec-artifact.rb +0 -0
  227. data/lib/bundles/inspec-artifact/README.md +0 -0
  228. data/lib/bundles/inspec-artifact/cli.rb +0 -0
  229. data/lib/bundles/inspec-compliance.rb +0 -0
  230. data/lib/bundles/inspec-compliance/.kitchen.yml +0 -0
  231. data/lib/bundles/inspec-compliance/README.md +0 -0
  232. data/lib/bundles/inspec-compliance/api/login.rb +0 -0
  233. data/lib/bundles/inspec-compliance/bootstrap.sh +0 -0
  234. data/lib/bundles/inspec-compliance/cli.rb +0 -0
  235. data/lib/bundles/inspec-compliance/configuration.rb +0 -0
  236. data/lib/bundles/inspec-compliance/http.rb +0 -0
  237. data/lib/bundles/inspec-compliance/images/cc-token.png +0 -0
  238. data/lib/bundles/inspec-compliance/support.rb +0 -0
  239. data/lib/bundles/inspec-compliance/target.rb +0 -0
  240. data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +0 -0
  241. data/lib/bundles/inspec-habitat.rb +0 -0
  242. data/lib/bundles/inspec-habitat/cli.rb +0 -0
  243. data/lib/bundles/inspec-habitat/log.rb +0 -0
  244. data/lib/bundles/inspec-habitat/profile.rb +0 -0
  245. data/lib/bundles/inspec-init.rb +0 -0
  246. data/lib/bundles/inspec-init/README.md +0 -0
  247. data/lib/bundles/inspec-init/cli.rb +0 -0
  248. data/lib/bundles/inspec-init/templates/profile/README.md +0 -0
  249. data/lib/bundles/inspec-init/templates/profile/controls/example.rb +0 -0
  250. data/lib/bundles/inspec-init/templates/profile/inspec.yml +0 -0
  251. data/lib/bundles/inspec-init/templates/profile/libraries/.gitkeep +0 -0
  252. data/lib/bundles/inspec-supermarket.rb +0 -0
  253. data/lib/bundles/inspec-supermarket/README.md +0 -0
  254. data/lib/bundles/inspec-supermarket/api.rb +0 -0
  255. data/lib/bundles/inspec-supermarket/cli.rb +0 -0
  256. data/lib/bundles/inspec-supermarket/target.rb +0 -0
  257. data/lib/fetchers/git.rb +0 -0
  258. data/lib/fetchers/local.rb +0 -0
  259. data/lib/fetchers/mock.rb +0 -0
  260. data/lib/fetchers/url.rb +0 -0
  261. data/lib/inspec.rb +0 -0
  262. data/lib/inspec/archive/tar.rb +0 -0
  263. data/lib/inspec/archive/zip.rb +0 -0
  264. data/lib/inspec/backend.rb +0 -0
  265. data/lib/inspec/base_cli.rb +2 -0
  266. data/lib/inspec/cached_fetcher.rb +0 -0
  267. data/lib/inspec/cli.rb +0 -0
  268. data/lib/inspec/completions/bash.sh.erb +0 -0
  269. data/lib/inspec/completions/fish.sh.erb +0 -0
  270. data/lib/inspec/completions/zsh.sh.erb +0 -0
  271. data/lib/inspec/control_eval_context.rb +0 -0
  272. data/lib/inspec/dependencies/cache.rb +0 -0
  273. data/lib/inspec/dependencies/dependency_set.rb +0 -0
  274. data/lib/inspec/dependencies/lockfile.rb +0 -0
  275. data/lib/inspec/dependencies/requirement.rb +0 -0
  276. data/lib/inspec/dependencies/resolver.rb +0 -0
  277. data/lib/inspec/describe.rb +0 -0
  278. data/lib/inspec/dsl.rb +0 -0
  279. data/lib/inspec/dsl_shared.rb +0 -0
  280. data/lib/inspec/env_printer.rb +0 -0
  281. data/lib/inspec/errors.rb +0 -0
  282. data/lib/inspec/exceptions.rb +0 -0
  283. data/lib/inspec/expect.rb +0 -0
  284. data/lib/inspec/fetcher.rb +0 -0
  285. data/lib/inspec/file_provider.rb +0 -0
  286. data/lib/inspec/formatters.rb +0 -0
  287. data/lib/inspec/formatters/base.rb +0 -0
  288. data/lib/inspec/formatters/json_rspec.rb +0 -0
  289. data/lib/inspec/formatters/show_progress.rb +0 -0
  290. data/lib/inspec/library_eval_context.rb +0 -0
  291. data/lib/inspec/log.rb +0 -0
  292. data/lib/inspec/metadata.rb +0 -0
  293. data/lib/inspec/method_source.rb +0 -0
  294. data/lib/inspec/objects.rb +0 -0
  295. data/lib/inspec/objects/attribute.rb +11 -1
  296. data/lib/inspec/objects/control.rb +0 -0
  297. data/lib/inspec/objects/describe.rb +0 -0
  298. data/lib/inspec/objects/each_loop.rb +0 -0
  299. data/lib/inspec/objects/list.rb +0 -0
  300. data/lib/inspec/objects/or_test.rb +0 -0
  301. data/lib/inspec/objects/ruby_helper.rb +0 -0
  302. data/lib/inspec/objects/tag.rb +0 -0
  303. data/lib/inspec/objects/test.rb +0 -0
  304. data/lib/inspec/objects/value.rb +0 -0
  305. data/lib/inspec/plugins.rb +0 -0
  306. data/lib/inspec/plugins/cli.rb +0 -0
  307. data/lib/inspec/plugins/fetcher.rb +0 -0
  308. data/lib/inspec/plugins/resource.rb +0 -0
  309. data/lib/inspec/plugins/secret.rb +0 -0
  310. data/lib/inspec/plugins/source_reader.rb +0 -0
  311. data/lib/inspec/polyfill.rb +0 -0
  312. data/lib/inspec/profile.rb +0 -0
  313. data/lib/inspec/profile_context.rb +0 -0
  314. data/lib/inspec/profile_vendor.rb +0 -0
  315. data/lib/inspec/reporters.rb +0 -0
  316. data/lib/inspec/reporters/automate.rb +0 -0
  317. data/lib/inspec/reporters/base.rb +0 -0
  318. data/lib/inspec/reporters/cli.rb +0 -0
  319. data/lib/inspec/reporters/json.rb +0 -0
  320. data/lib/inspec/reporters/json_min.rb +0 -0
  321. data/lib/inspec/reporters/junit.rb +1 -0
  322. data/lib/inspec/require_loader.rb +0 -0
  323. data/lib/inspec/resource.rb +0 -0
  324. data/lib/inspec/rule.rb +0 -0
  325. data/lib/inspec/runner.rb +0 -0
  326. data/lib/inspec/runner_mock.rb +0 -0
  327. data/lib/inspec/runner_rspec.rb +0 -0
  328. data/lib/inspec/runtime_profile.rb +0 -0
  329. data/lib/inspec/schema.rb +0 -0
  330. data/lib/inspec/secrets.rb +0 -0
  331. data/lib/inspec/secrets/yaml.rb +0 -0
  332. data/lib/inspec/shell.rb +0 -0
  333. data/lib/inspec/shell_detector.rb +0 -0
  334. data/lib/inspec/source_reader.rb +0 -0
  335. data/lib/inspec/version.rb +1 -1
  336. data/lib/matchers/matchers.rb +0 -0
  337. data/lib/resource_support/aws.rb +0 -0
  338. data/lib/resource_support/aws/aws_backend_base.rb +0 -0
  339. data/lib/resource_support/aws/aws_backend_factory_mixin.rb +0 -0
  340. data/lib/resource_support/aws/aws_plural_resource_mixin.rb +0 -0
  341. data/lib/resource_support/aws/aws_resource_mixin.rb +0 -0
  342. data/lib/resource_support/aws/aws_singular_resource_mixin.rb +0 -0
  343. data/lib/resources/aide_conf.rb +0 -0
  344. data/lib/resources/apache.rb +0 -0
  345. data/lib/resources/apache_conf.rb +0 -0
  346. data/lib/resources/apt.rb +0 -0
  347. data/lib/resources/audit_policy.rb +0 -0
  348. data/lib/resources/auditd.rb +0 -0
  349. data/lib/resources/auditd_conf.rb +0 -0
  350. data/lib/resources/aws/aws_cloudtrail_trail.rb +16 -0
  351. data/lib/resources/aws/aws_cloudtrail_trails.rb +0 -0
  352. data/lib/resources/aws/aws_cloudwatch_alarm.rb +1 -1
  353. data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +0 -0
  354. data/lib/resources/aws/aws_config_delivery_channel.rb +0 -0
  355. data/lib/resources/aws/aws_config_recorder.rb +0 -0
  356. data/lib/resources/aws/aws_ec2_instance.rb +0 -0
  357. data/lib/resources/aws/aws_iam_access_key.rb +0 -0
  358. data/lib/resources/aws/aws_iam_access_keys.rb +0 -0
  359. data/lib/resources/aws/aws_iam_group.rb +4 -2
  360. data/lib/resources/aws/aws_iam_groups.rb +0 -0
  361. data/lib/resources/aws/aws_iam_password_policy.rb +0 -0
  362. data/lib/resources/aws/aws_iam_policies.rb +0 -0
  363. data/lib/resources/aws/aws_iam_policy.rb +148 -0
  364. data/lib/resources/aws/aws_iam_role.rb +0 -0
  365. data/lib/resources/aws/aws_iam_root_user.rb +0 -0
  366. data/lib/resources/aws/aws_iam_user.rb +0 -0
  367. data/lib/resources/aws/aws_iam_users.rb +0 -0
  368. data/lib/resources/aws/aws_kms_key.rb +0 -0
  369. data/lib/resources/aws/aws_kms_keys.rb +0 -0
  370. data/lib/resources/aws/aws_rds_instance.rb +0 -0
  371. data/lib/resources/aws/aws_route_table.rb +0 -0
  372. data/lib/resources/aws/aws_route_tables.rb +0 -0
  373. data/lib/resources/aws/aws_s3_bucket.rb +0 -0
  374. data/lib/resources/aws/aws_s3_bucket_object.rb +0 -0
  375. data/lib/resources/aws/aws_s3_buckets.rb +0 -0
  376. data/lib/resources/aws/aws_security_group.rb +163 -7
  377. data/lib/resources/aws/aws_security_groups.rb +0 -0
  378. data/lib/resources/aws/aws_sns_subscription.rb +0 -0
  379. data/lib/resources/aws/aws_sns_topic.rb +0 -0
  380. data/lib/resources/aws/aws_sns_topics.rb +0 -0
  381. data/lib/resources/aws/aws_subnet.rb +0 -0
  382. data/lib/resources/aws/aws_subnets.rb +0 -0
  383. data/lib/resources/aws/aws_vpc.rb +12 -8
  384. data/lib/resources/aws/aws_vpcs.rb +8 -1
  385. data/lib/resources/azure/azure_backend.rb +0 -0
  386. data/lib/resources/azure/azure_generic_resource.rb +0 -0
  387. data/lib/resources/azure/azure_resource_group.rb +0 -0
  388. data/lib/resources/azure/azure_virtual_machine.rb +0 -0
  389. data/lib/resources/azure/azure_virtual_machine_data_disk.rb +0 -0
  390. data/lib/resources/bash.rb +0 -0
  391. data/lib/resources/bond.rb +0 -0
  392. data/lib/resources/bridge.rb +0 -0
  393. data/lib/resources/chocolatey_package.rb +0 -0
  394. data/lib/resources/command.rb +0 -0
  395. data/lib/resources/cpan.rb +0 -0
  396. data/lib/resources/cran.rb +0 -0
  397. data/lib/resources/crontab.rb +0 -0
  398. data/lib/resources/csv.rb +0 -0
  399. data/lib/resources/dh_params.rb +0 -0
  400. data/lib/resources/directory.rb +0 -0
  401. data/lib/resources/docker.rb +0 -0
  402. data/lib/resources/docker_container.rb +0 -0
  403. data/lib/resources/docker_image.rb +0 -0
  404. data/lib/resources/docker_object.rb +0 -0
  405. data/lib/resources/docker_service.rb +0 -0
  406. data/lib/resources/elasticsearch.rb +0 -0
  407. data/lib/resources/etc_fstab.rb +0 -0
  408. data/lib/resources/etc_group.rb +0 -0
  409. data/lib/resources/etc_hosts.rb +0 -0
  410. data/lib/resources/etc_hosts_allow_deny.rb +0 -0
  411. data/lib/resources/file.rb +0 -0
  412. data/lib/resources/filesystem.rb +0 -0
  413. data/lib/resources/firewalld.rb +0 -0
  414. data/lib/resources/gem.rb +0 -0
  415. data/lib/resources/groups.rb +0 -0
  416. data/lib/resources/grub_conf.rb +0 -0
  417. data/lib/resources/host.rb +0 -0
  418. data/lib/resources/http.rb +0 -0
  419. data/lib/resources/iis_app.rb +0 -0
  420. data/lib/resources/iis_site.rb +0 -0
  421. data/lib/resources/inetd_conf.rb +0 -0
  422. data/lib/resources/ini.rb +0 -0
  423. data/lib/resources/interface.rb +0 -0
  424. data/lib/resources/iptables.rb +0 -0
  425. data/lib/resources/json.rb +0 -0
  426. data/lib/resources/kernel_module.rb +0 -0
  427. data/lib/resources/kernel_parameter.rb +0 -0
  428. data/lib/resources/key_rsa.rb +3 -1
  429. data/lib/resources/limits_conf.rb +0 -0
  430. data/lib/resources/login_def.rb +0 -0
  431. data/lib/resources/mount.rb +0 -0
  432. data/lib/resources/mssql_session.rb +0 -0
  433. data/lib/resources/mysql.rb +0 -0
  434. data/lib/resources/mysql_conf.rb +0 -0
  435. data/lib/resources/mysql_session.rb +0 -0
  436. data/lib/resources/nginx.rb +0 -0
  437. data/lib/resources/nginx_conf.rb +0 -0
  438. data/lib/resources/npm.rb +0 -0
  439. data/lib/resources/ntp_conf.rb +0 -0
  440. data/lib/resources/oneget.rb +0 -0
  441. data/lib/resources/oracledb_session.rb +0 -0
  442. data/lib/resources/os.rb +0 -0
  443. data/lib/resources/os_env.rb +0 -0
  444. data/lib/resources/package.rb +0 -0
  445. data/lib/resources/packages.rb +0 -0
  446. data/lib/resources/parse_config.rb +0 -0
  447. data/lib/resources/passwd.rb +0 -0
  448. data/lib/resources/pip.rb +0 -0
  449. data/lib/resources/platform.rb +0 -0
  450. data/lib/resources/port.rb +0 -0
  451. data/lib/resources/postgres.rb +0 -0
  452. data/lib/resources/postgres_conf.rb +0 -0
  453. data/lib/resources/postgres_hba_conf.rb +0 -0
  454. data/lib/resources/postgres_ident_conf.rb +0 -0
  455. data/lib/resources/postgres_session.rb +0 -0
  456. data/lib/resources/powershell.rb +1 -0
  457. data/lib/resources/processes.rb +0 -0
  458. data/lib/resources/rabbitmq_conf.rb +0 -0
  459. data/lib/resources/registry_key.rb +0 -0
  460. data/lib/resources/security_policy.rb +0 -0
  461. data/lib/resources/service.rb +0 -0
  462. data/lib/resources/shadow.rb +20 -10
  463. data/lib/resources/ssh_conf.rb +0 -0
  464. data/lib/resources/ssl.rb +0 -0
  465. data/lib/resources/sys_info.rb +0 -0
  466. data/lib/resources/toml.rb +0 -0
  467. data/lib/resources/users.rb +0 -0
  468. data/lib/resources/vbscript.rb +0 -0
  469. data/lib/resources/virtualization.rb +0 -0
  470. data/lib/resources/windows_feature.rb +0 -0
  471. data/lib/resources/windows_hotfix.rb +0 -0
  472. data/lib/resources/windows_task.rb +0 -0
  473. data/lib/resources/wmi.rb +0 -0
  474. data/lib/resources/x509_certificate.rb +0 -0
  475. data/lib/resources/xinetd.rb +0 -0
  476. data/lib/resources/xml.rb +0 -0
  477. data/lib/resources/yaml.rb +0 -0
  478. data/lib/resources/yum.rb +0 -0
  479. data/lib/resources/zfs_dataset.rb +0 -0
  480. data/lib/resources/zfs_pool.rb +0 -0
  481. data/lib/source_readers/flat.rb +0 -0
  482. data/lib/source_readers/inspec.rb +0 -0
  483. data/lib/utils/command_wrapper.rb +0 -0
  484. data/lib/utils/convert.rb +0 -0
  485. data/lib/utils/database_helpers.rb +0 -0
  486. data/lib/utils/erlang_parser.rb +0 -0
  487. data/lib/utils/file_reader.rb +0 -0
  488. data/lib/utils/filter.rb +0 -0
  489. data/lib/utils/filter_array.rb +0 -0
  490. data/lib/utils/find_files.rb +0 -0
  491. data/lib/utils/hash.rb +0 -0
  492. data/lib/utils/json_log.rb +0 -0
  493. data/lib/utils/latest_version.rb +0 -0
  494. data/lib/utils/modulator.rb +0 -0
  495. data/lib/utils/nginx_parser.rb +0 -0
  496. data/lib/utils/object_traversal.rb +0 -0
  497. data/lib/utils/parser.rb +0 -0
  498. data/lib/utils/pkey_reader.rb +15 -0
  499. data/lib/utils/plugin_registry.rb +0 -0
  500. data/lib/utils/simpleconfig.rb +0 -0
  501. data/lib/utils/spdx.rb +0 -0
  502. data/lib/utils/spdx.txt +0 -0
  503. metadata +5 -4
File without changes
File without changes
File without changes
File without changes
@@ -8,31 +8,79 @@ Use the `aws_security_group` InSpec audit resource to test detailed properties o
8
8
 
9
9
  SGs are a networking construct which contain ingress and egress rules for network communications. SGs may be attached to EC2 instances, as well as certain other AWS resources. Along with Network Access Control Lists, SGs are one of the two main mechanisms of enforcing network-level security.
10
10
 
11
+ ## Limitations
12
+
13
+ While this resource provides facilities for searching inbound and outbound rules on a variety of criteria, there is currently no support for performing matches based on:
14
+
15
+ * IPv6 ranges
16
+ * References to other Security Groups
17
+ * References to VPC peers or other AWS services (that is, no support for searches based on 'prefix lists').
18
+
11
19
  <br>
12
20
 
13
21
  ## Syntax
14
22
 
15
- An `aws_security_group` resource block uses resource parameters to search for a Security Group and then tests that Security Group. If no SGs match, no error is raised, but the `exists` matcher returns `false` and all properties will be `nil`. If more than one SG matches (due to vague search parameters), an error is raised.
23
+ Resource parameters: group_id, group_name, id, vpc_id
16
24
 
17
- # Ensure you have a security group with a certain ID
25
+ An `aws_security_group` resource block uses resource parameters to search for and then test a Security Group. If no SGs match, no error is raised, but the `exists` matcher returns `false`, and all scalar properties are `nil`. List properties returned under these conditions are empty lists. If more than one SG matches (due to vague search parameters), an error is raised.
26
+
27
+ # Ensure you have a Security Group with a specific ID
18
28
  # This is "safe" - SG IDs are unique within an account
19
29
  describe aws_security_group('sg-12345678') do
20
30
  it { should exist }
21
31
  end
22
32
 
23
- # Ensure you have a security group with a certain ID
33
+ # Ensure you have a Security Group with a specific ID
24
34
  # This uses hash syntax
25
35
  describe aws_security_group(id: 'sg-12345678') do
26
36
  it { should exist }
27
37
  end
28
38
 
39
+ # Ensure you have a Security Group with a specific name. Names are
40
+ # unique within a VPC but not across VPCs.
41
+ # Using only Group returns an error if multiple SGs match.
42
+ describe aws_security_group(group_name: 'my-group') do
43
+ it { should exist }
44
+ end
45
+ # Add vpc_id to ensure uniqueness.
46
+ describe aws_security_group(group_name: 'my-group', vpc_id: 'vpc-12345678') do
47
+ it { should exist }
48
+ end
49
+
29
50
  <br>
30
51
 
31
52
  ## Examples
32
53
 
33
54
  The following examples show how to use this InSpec audit resource.
34
55
 
35
- As this is the initial release of `aws_security_group`, its limited functionality precludes examples.
56
+ # Ensure that the linux_servers Security Group permits
57
+ # SSH from the 10.5.0.0/16 range, but not the world.
58
+ describe aws_security_group(group_name: linux_servers) do
59
+ # This passes if any inbound rule exists that specifies
60
+ # port 22 and the given IP range, regardless of protocol, etc.
61
+ it { should allow_in(port: 22, ipv4_range: '10.5.0.0/16') }
62
+
63
+ # This passes so long as no inbound rule that specifies port 22 exists
64
+ # with a source IP range of 0.0.0.0/0. Other properties are ignored.
65
+ it { should_not allow_in(port: 22, ipv4_range: '0.0.0.0/0') }
66
+
67
+ end
68
+
69
+ # Ensure that the careful_updates Security Group may only initiate contact with specific IPs.
70
+ describe aws_security_group(group_name: 'careful_updates') do
71
+
72
+ # If you have two rules, with one CIDR each:
73
+ [ '10.7.23.12/32', '10.8.23.12/32' ].each do |allowed_destination|
74
+ # This doesn't care about which ports are enabled
75
+ it { should allow_out(ipv4_range: allowed_destination) }
76
+ end
77
+
78
+ # If you have one rule with two CIDRs:
79
+ it { should allow_out(ipv4_range: [ '10.7.23.12/32', '10.8.23.12/32' ] }
80
+
81
+ # Expect exactly three rules.
82
+ its('outbound_rules.count') { should cmp 3 }
83
+ end
36
84
 
37
85
  <br>
38
86
 
@@ -42,7 +90,7 @@ This InSpec resource accepts the following parameters, which are used to search
42
90
 
43
91
  ### id, group\_id
44
92
 
45
- The Security Group ID of the Security Group. This is of the format `sg-` followed by 8 hexadecimal characters. The ID is unique within your AWS account; using ID ensures that you will never match more than one SG. The ID is also the default resource parameter, so you may omit the hash syntax.
93
+ The Security Group ID of the Security Group. This is of the format `sg-` followed by 8 hexadecimal characters. The ID is unique within your AWS account; using ID ensures a match of only one SG. The ID is also the default resource parameter, so you may omit the hash syntax.
46
94
 
47
95
  # Using Hash syntax
48
96
  describe aws_security_group(id: 'sg-12345678') do
@@ -61,23 +109,23 @@ The Security Group ID of the Security Group. This is of the format `sg-` followe
61
109
 
62
110
  ### group\_name
63
111
 
64
- The string name of the Security Group. Every VPC has a security group named 'default'. Names are unique within a VPC, but not within an AWS account.
112
+ The string name of the Security Group. Every VPC has a Security Group named 'default'. Names are unique within a VPC, but not within an AWS account.
65
113
 
66
- # Get default security group for a certain VPC
114
+ # Get default Security Group for a specific VPC
67
115
  describe aws_security_group(group_name: 'default', vpc_id: vpc_id: 'vpc-12345678') do
68
116
  it { should exist }
69
117
  end
70
118
 
71
- # This will throw an error if there is a 'backend' SG in more than one VPC.
119
+ # This throws an error if more than one VPC has a 'backend' SG.
72
120
  describe aws_security_group(group_name: 'backend') do
73
121
  it { should exist }
74
122
  end
75
123
 
76
124
  ### vpc\_id
77
125
 
78
- A string identifying the VPC that contains the security group. Since VPCs commonly contain many SGs, you should add additional parameters to ensure you find exactly one SG.
126
+ A string identifying the VPC that contains the Security Group. Since VPCs commonly contain many SGs, you should add additional parameters to ensure you find exactly one SG.
79
127
 
80
- # This will error if there is more than the default SG
128
+ # This throws an error if more than the default SG exists
81
129
  describe aws_security_group(vpc_id: 'vpc-12345678') do
82
130
  it { should exist }
83
131
  end
@@ -85,7 +133,7 @@ A string identifying the VPC that contains the security group. Since VPCs common
85
133
  <br>
86
134
  ## Properties
87
135
 
88
- * `description`, `group_id', `group_name`, `vpc_id`
136
+ * [`description`](#description), [`group_id`](#group_id), [`group_name`](#group_name), [`inbound_rules`](#inbound_rules), [`outbound_rules`](#outbound_rules), [`vpc_id`](#vpc_id)
89
137
 
90
138
  <br>
91
139
 
@@ -95,7 +143,7 @@ A string identifying the VPC that contains the security group. Since VPCs common
95
143
 
96
144
  A String reflecting the human-meaningful description that was given to the SG at creation time.
97
145
 
98
- # Require a description of a particular group
146
+ # Require a description of a particular Security Group
99
147
  describe aws_security_group('sg-12345678') do
100
148
  its('description') { should_not be_empty }
101
149
  end
@@ -104,28 +152,52 @@ A String reflecting the human-meaningful description that was given to the SG at
104
152
 
105
153
  Provides the Security Group ID.
106
154
 
107
- # Inspect the group ID of the default group
155
+ # Inspect the Security group ID of the default Group
108
156
  describe aws_security_group(group_name: 'default', vpc_id: vpc_id: 'vpc-12345678') do
109
157
  its('group_id') { should cmp 'sg-12345678' }
110
158
  end
111
159
 
112
- # Store the group ID in a Ruby variable for use elsewhere
160
+ # Store the Group ID in a Ruby variable for use elsewhere
113
161
  sg_id = aws_security_group(group_name: 'default', vpc_id: vpc_id: 'vpc-12345678').group_id
114
162
 
115
163
  ### group\_name
116
164
 
117
165
  A String reflecting the name that was given to the SG at creation time.
118
166
 
119
- # Inspect the group name of a particular group
167
+ # Inspect the Group name of a particular Group
120
168
  describe aws_security_group('sg-12345678') do
121
169
  its('group_name') { should cmp 'my_group' }
122
170
  end
123
171
 
172
+ ### inbound\_rules
173
+
174
+ A list of the rules that the Security Group applies to incoming network traffic. This is a low-level property that is used by the [`allow_in`](#allow_in) and [`allow_in_only`](#allow_in_only) matchers; see them for detailed examples. `inbound_rules` is provided here for those wishing to use Ruby code to inspect the rules directly, instead of using higher-level matchers.
175
+
176
+ Order is critical in these rules, as the sequentially first rule to match is applied to network traffic. By default, AWS includes a reject-all rule as the last inbound rule. This implicit rule does not appear in the inbound_rules list.
177
+
178
+ If the Security Group could not be found (that is, `exists` is false), `inbound_rules` returns an empty list.
179
+
180
+ describe aws_security_group(group_name: linux_servers) do
181
+ its('inbound_rules.first') { should include(from_port: '22', ip_ranges: ['10.2.17.0/24']) }
182
+ end
183
+
184
+ ### outbound\_rules
185
+
186
+ A list of the rules that the Security Group applies to outgoing network traffic initiated by the AWS resource in the Security Group. This is a low-level property that is used by the [`allow_out`](#allow_out) matcher; see it for detailed examples. `outbound_rules` is provided here for those wishing to use Ruby code to inspect the rules directly, instead of using higher-level matchers.
187
+
188
+ Order is critical in these rules, as the sequentially first rule to match is applied to network traffic. Outbound rules are typically used when it is desirable to restrict which portions of the internet, if any, a resource may access. By default, AWS includes an allow-all rule as the last outbound rule; note that Terraform removes this implicit rule.
189
+
190
+ If the Security Group could not be found (that is, `exists` is false), `outbound_rules` returns an empty list.
191
+
192
+ describe aws_security_group(group_name: isolated_servers) do
193
+ its('outbound_rules.last') { should_not include(ip_ranges:['0.0.0.0/0']) }
194
+ end
195
+
124
196
  ### vpc\_id
125
197
 
126
- A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VPC that contains the security group.
198
+ A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VPC that contains the Security Group.
127
199
 
128
- # Inspec the VPC ID of a particular group
200
+ # Inspec the VPC ID of a particular Group
129
201
  describe aws_security_group('sg-12345678') do
130
202
  its('vpc_id') { should cmp 'vpc-12345678' }
131
203
  end
@@ -134,18 +206,85 @@ A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VP
134
206
 
135
207
  ## Matchers
136
208
 
137
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
209
+ This InSpec audit resource has the following special matchers. For a full list of additional available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
210
+
211
+ * [`allow_in`](#allow_in), [`allow_in_only`](#allow_in_only), [`allow_out`](#allow_out), [`allow_out_only`](#allow_out_only)
212
+
213
+ ### allow\_in
214
+
215
+ ### allow\_out
216
+
217
+ ### allow\_in\_only
218
+
219
+ ### allow\_out\_only
220
+
221
+ The `allow` series of matchers enable you to perform queries about what network traffic would be permitted through the Security Group rule set.
222
+
223
+ `allow_in` and `allow_in_exactly` examine inbound rules, and `allow_out` and `allow_out_exactly` examine outbound rules.
138
224
 
225
+ `allow_in` and `allow_out` examine if at least one rule that matches the criteria exists. `allow_in` and `allow_out` also perform inexact (ie, range-based or subset-based) matching on ports and IP addresses ranges, allowing you to specify a candidate port or IP address and determine if it is covered by a rule.
226
+
227
+ `allow_in_only` and `allow_out_only` examines if exactly one rule exists (but see `position`, below), and if it matches the criteria (this is useful for ensuring no unexpected rules have been added). Additionally, `allow_in_only` and `allow_out_only` do _not_ perform inexact matching; you must specify exactly the port range or IP address(es) you wish to match.
228
+
229
+ The matchers accept a key-value list of search criteria. For a rule to match, it must match all provided criteria.
230
+
231
+ * from_port - Determines if a rule exists whose port range begins at the specified number. The word 'from_' does *not* relate to inbound/outbound directionality; it relates to the port range ("counting _from_"). `from_port` is an exact criterion; so if the rule allows 1000-2000 and you specify a `from_port` of 1001, it does not match.
232
+ * ipv4_range - Specifies an IPv4 address or subnet as a CIDR, or a list of them, to be checked as a permissible origin (for `allow_in`) or destination (for `allow_out`) for traffic. Each AWS Security Group rule may have multiple allowed source IP ranges.
233
+ * port - Determines if a particular TCP/IP port is reachable. allow_in and allow_out examine whether the specified port is included in the port range of a rule, while allow_in. You may specify the port as a string (`'22'`) or as a number.
234
+ * position - A one-based index into the list of rules. If provided, this restricts the evaluation to the rule at that position. You may also use the special values `:first` and `:last`. `position` may also be used to enable `allow_in_only` and `allow_out_only` to work with multi-rule Security Groups.
235
+ * protocol - Specifies the IP protocol. 'tcp', 'udp', and 'icmp' are some typical values. The string "-1" or 'any' is used to indicate any protocol.
236
+ * to_port - Determines if a rule exists whose port range ends at the specified number. The word 'to_' does *not* relate to inbound/outbound directionality; it relates to the port range ("counting _to_"). `to_port` is an exact criterion; so if the rule allows 1000-2000 and you specify a `to_port` of 1999, it does not match.
237
+
238
+ describe aws_security_group(group_name: 'mixed-functionality-group') do
239
+ # Allow RDP from defined range
240
+ it { should allow_in(port: 3389, ipv4_range: '10.5.0.0/16') }
241
+
242
+ # Allow SSH from two ranges
243
+ it { should allow_in(port: 22, ipv4_range: ['10.5.0.0/16', '10.2.3.0/24']) }
244
+
245
+ # Check Bacula port range
246
+ it { should allow_in(from_port: 9101, to_port: 9103, ipv4_range: '10.6.7.0/24') }
247
+
248
+ # Assuming the AWS SG allows 9001-9003, use inexact matching to check 9002
249
+ it { should allow_in(port: 9002) }
250
+
251
+ # Assuming the AWS SG allows 10.2.1.0/24, use inexact matching to check 10.2.1.33/32
252
+ it { should allow_in(ipv4_range: '10.2.1.33/32') }
253
+
254
+ # Ensure the 3rd outbound rule is TCP-based
255
+ it { should allow_in(protocol: 'tcp', position: 3') }
256
+
257
+ # Do not allow unrestricted IPv4 access.
258
+ it { should_not allow_in(ipv4_range: '0.0.0.0/0') }
259
+ end
260
+
261
+ # Suppose you have a Group that should allow SSH and RDP from
262
+ # the admin network, 10.5.0.0/16. The resource has 2 rules to
263
+ # allow this, and you want to ensure no others have been added.
264
+ describe aws_security_group(group_name: 'admin-group') do
265
+ # Allow RDP from a defined range and nothing else
266
+ # The SG must have this rule in position 1 and it must match this exactly
267
+ it { should allow_in_only(port: 3389, ipv4_range: '10.5.0.0/16', position: 1) }
268
+
269
+ # Specify position 2 for the SSH rule. Without `position`,
270
+ # allow_in_only only allows one rule, total.
271
+ it { should allow_in_only(port: 22, ipv4_range: '10.5.0.0/16', position: 2) }
272
+
273
+ # Because this is an _only matcher, this fails - _only matchers
274
+ # use exact IP matching.
275
+ it { should allow_in_only(port: 3389, ipv4_range: '10.5.1.34/32', position: 1) }
276
+ end
277
+
139
278
  ### exists
140
279
 
141
- The control will pass if the specified SG was found. Use `should_not` if you want to verify that the specified SG does not exist.
280
+ The control passes if the specified Security Group was found. Use `should_not` if you want to verify that the specified SG does not exist.
142
281
 
143
- # You will always have at least one SG, the VPC default SG
282
+ # You always have at least one SG, the VPC default SG
144
283
  describe aws_security_group(group_name: 'default')
145
284
  it { should exist }
146
285
  end
147
286
 
148
- # Make sure we don't have any security groups with the name 'nogood'
287
+ # Make sure we don't have any Security Groups with the name 'nogood'
149
288
  describe aws_security_group(group_name: 'nogood')
150
289
  it { should_not exist }
151
290
  end
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
@@ -20,23 +20,94 @@ Every AWS account has at least one VPC, the "default" VPC, in every region.
20
20
  An `aws_vpcs` resource block uses an optional filter to select a group of VPCs and then tests that group.
21
21
 
22
22
  # The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
23
+
24
+ # Since you always have at least one VPC, this will always pass.
23
25
  describe aws_vpcs do
24
26
  it { should exist }
25
27
  end
26
28
 
29
+ # Insist that all VPCs use the same DHCP option set.
30
+ describe aws_vpcs.where { dhcp_options_id != 'dopt-12345678' } do
31
+ it { should_not exist }
32
+ end
33
+
27
34
  <br>
28
35
 
29
36
  ## Examples
30
37
 
31
38
  The following examples show how to use this InSpec audit resource.
32
39
 
33
- As this is the initial release of `aws_vpcs`, its limited functionality precludes examples.
40
+ ### Check for a Particular VPC ID
41
+
42
+ describe aws_vpcs do
43
+ its('vpc_ids') { should include 'vpc-12345678' }
44
+ end
45
+
46
+ ### Use the VPC IDs to Get a List of Default Security Groups
47
+
48
+ aws_vpcs.vpc_ids.each do |vpc_id|
49
+ describe aws_security_group(vpc_id: vpc_id, group_name: 'default') do
50
+ it { should_not allow_in(port: 22) }
51
+ end
52
+ end
34
53
 
35
54
  <br>
36
55
 
56
+ ## Filter Criteria
57
+
58
+ ### cidr_block
59
+
60
+ Filters the results to include only those VPCs that match the given IPv4 range. This is a string value.
61
+
62
+ # We shun the 10.0.0.0/8 space
63
+ describe aws_vpcs.where { cidr_block.start_with?('10') } do
64
+ it { should_not exist }
65
+ end
66
+
67
+ ### dhcp_option_id
68
+
69
+ Filters the results to include only those VPCs that have the given DHCP Option Set.
70
+
71
+ # Insist on one DHCP option set for all VPCs.
72
+ describe aws_vpcs.where { dhcp_options_id != 'dopt-12345678' } do
73
+ it { should_not exist }
74
+ end
75
+
76
+ ## Properties
77
+
78
+ ### cidr_blocks
79
+
80
+ The cidr_blocks property provides a list of the CIDR blocks that the matched VPCs serve as strings.
81
+
82
+ describe aws_vpcs do
83
+ # This is simple array membership checking - not subnet membership
84
+ its('cidr_blocks') { should include '179.0.0.0/16' }
85
+ end
86
+
87
+ ### dhcp_options_ids
88
+
89
+ The dhcp_option_set_ids property provides a de-duplicated list of the DHCP Option Set IDs that the matched VPCs use when assigning IPs to resources.
90
+
91
+ describe aws_vpcs do
92
+ its('dhcp_options_ids') { should include 'dopt-12345678' }
93
+ end
94
+
95
+ ### vpc_ids
96
+
97
+ The vpc_ids property provides a list of the IDs of the matched VPCs.
98
+
99
+ describe aws_vpcs do
100
+ its('vpc_ids') { should include 'vpc-12345678' }
101
+ end
102
+
103
+ # Get a list of all VPC IDs
104
+ aws_vpcs.vpc_ids.each do |vpc_id|
105
+ # Do something with vpc_id
106
+ end
107
+
37
108
  ## Matchers
38
109
 
39
- This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
110
+ This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
40
111
 
41
112
  ### exists
42
113
 
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes