inspec 2.1.80 → 2.1.81

Sign up to get free protection for your applications and to get access to all the features.
Files changed (510) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +101 -101
  3. data/CHANGELOG.md +3177 -3172
  4. data/Gemfile +56 -56
  5. data/LICENSE +14 -14
  6. data/MAINTAINERS.md +33 -33
  7. data/MAINTAINERS.toml +52 -52
  8. data/README.md +453 -453
  9. data/Rakefile +349 -349
  10. data/bin/inspec +12 -12
  11. data/docs/.gitignore +2 -2
  12. data/docs/README.md +40 -40
  13. data/docs/dev/control-eval.md +61 -61
  14. data/docs/dsl_inspec.md +258 -258
  15. data/docs/dsl_resource.md +100 -100
  16. data/docs/glossary.md +99 -99
  17. data/docs/habitat.md +191 -191
  18. data/docs/inspec_and_friends.md +114 -114
  19. data/docs/matchers.md +169 -169
  20. data/docs/migration.md +293 -293
  21. data/docs/platforms.md +118 -118
  22. data/docs/plugin_kitchen_inspec.md +50 -50
  23. data/docs/profiles.md +378 -378
  24. data/docs/reporters.md +105 -105
  25. data/docs/resources/aide_conf.md.erb +75 -75
  26. data/docs/resources/apache.md.erb +67 -67
  27. data/docs/resources/apache_conf.md.erb +68 -68
  28. data/docs/resources/apt.md.erb +71 -71
  29. data/docs/resources/audit_policy.md.erb +47 -47
  30. data/docs/resources/auditd.md.erb +79 -79
  31. data/docs/resources/auditd_conf.md.erb +68 -68
  32. data/docs/resources/aws_cloudtrail_trail.md.erb +155 -155
  33. data/docs/resources/aws_cloudtrail_trails.md.erb +86 -86
  34. data/docs/resources/aws_cloudwatch_alarm.md.erb +91 -91
  35. data/docs/resources/aws_cloudwatch_log_metric_filter.md.erb +154 -154
  36. data/docs/resources/aws_config_delivery_channel.md.erb +101 -101
  37. data/docs/resources/aws_config_recorder.md.erb +86 -86
  38. data/docs/resources/aws_ec2_instance.md.erb +112 -112
  39. data/docs/resources/aws_ec2_instances.md.erb +79 -79
  40. data/docs/resources/aws_iam_access_key.md.erb +129 -129
  41. data/docs/resources/aws_iam_access_keys.md.erb +204 -204
  42. data/docs/resources/aws_iam_group.md.erb +64 -64
  43. data/docs/resources/aws_iam_groups.md.erb +49 -49
  44. data/docs/resources/aws_iam_password_policy.md.erb +82 -82
  45. data/docs/resources/aws_iam_policies.md.erb +87 -87
  46. data/docs/resources/aws_iam_policy.md.erb +245 -245
  47. data/docs/resources/aws_iam_role.md.erb +69 -69
  48. data/docs/resources/aws_iam_root_user.md.erb +76 -76
  49. data/docs/resources/aws_iam_user.md.erb +120 -120
  50. data/docs/resources/aws_iam_users.md.erb +279 -279
  51. data/docs/resources/aws_kms_key.md.erb +177 -177
  52. data/docs/resources/aws_kms_keys.md.erb +89 -89
  53. data/docs/resources/aws_rds_instance.md.erb +66 -66
  54. data/docs/resources/aws_route_table.md.erb +53 -53
  55. data/docs/resources/aws_route_tables.md.erb +55 -55
  56. data/docs/resources/aws_s3_bucket.md.erb +146 -146
  57. data/docs/resources/aws_s3_bucket_object.md.erb +89 -89
  58. data/docs/resources/aws_s3_buckets.md.erb +59 -59
  59. data/docs/resources/aws_security_group.md.erb +296 -296
  60. data/docs/resources/aws_security_groups.md.erb +97 -97
  61. data/docs/resources/aws_sns_subscription.md.erb +130 -130
  62. data/docs/resources/aws_sns_topic.md.erb +69 -69
  63. data/docs/resources/aws_sns_topics.md.erb +58 -58
  64. data/docs/resources/aws_subnet.md.erb +140 -140
  65. data/docs/resources/aws_subnets.md.erb +132 -132
  66. data/docs/resources/aws_vpc.md.erb +125 -125
  67. data/docs/resources/aws_vpcs.md.erb +125 -125
  68. data/docs/resources/azure_generic_resource.md.erb +171 -171
  69. data/docs/resources/azure_resource_group.md.erb +284 -284
  70. data/docs/resources/azure_virtual_machine.md.erb +347 -347
  71. data/docs/resources/azure_virtual_machine_data_disk.md.erb +224 -224
  72. data/docs/resources/bash.md.erb +75 -75
  73. data/docs/resources/bond.md.erb +90 -90
  74. data/docs/resources/bridge.md.erb +57 -57
  75. data/docs/resources/bsd_service.md.erb +67 -67
  76. data/docs/resources/chocolatey_package.md.erb +58 -58
  77. data/docs/resources/command.md.erb +138 -138
  78. data/docs/resources/cpan.md.erb +79 -79
  79. data/docs/resources/cran.md.erb +64 -64
  80. data/docs/resources/crontab.md.erb +89 -89
  81. data/docs/resources/csv.md.erb +54 -54
  82. data/docs/resources/dh_params.md.erb +205 -205
  83. data/docs/resources/directory.md.erb +30 -30
  84. data/docs/resources/docker.md.erb +219 -219
  85. data/docs/resources/docker_container.md.erb +103 -103
  86. data/docs/resources/docker_image.md.erb +94 -94
  87. data/docs/resources/docker_service.md.erb +114 -114
  88. data/docs/resources/elasticsearch.md.erb +242 -242
  89. data/docs/resources/etc_fstab.md.erb +125 -125
  90. data/docs/resources/etc_group.md.erb +75 -75
  91. data/docs/resources/etc_hosts.md.erb +78 -78
  92. data/docs/resources/etc_hosts_allow.md.erb +74 -74
  93. data/docs/resources/etc_hosts_deny.md.erb +74 -74
  94. data/docs/resources/file.md.erb +526 -526
  95. data/docs/resources/filesystem.md.erb +41 -41
  96. data/docs/resources/firewalld.md.erb +107 -107
  97. data/docs/resources/gem.md.erb +79 -79
  98. data/docs/resources/group.md.erb +61 -61
  99. data/docs/resources/grub_conf.md.erb +101 -101
  100. data/docs/resources/host.md.erb +86 -86
  101. data/docs/resources/http.md.erb +197 -197
  102. data/docs/resources/iis_app.md.erb +122 -122
  103. data/docs/resources/iis_site.md.erb +135 -135
  104. data/docs/resources/inetd_conf.md.erb +94 -94
  105. data/docs/resources/ini.md.erb +76 -76
  106. data/docs/resources/interface.md.erb +58 -58
  107. data/docs/resources/iptables.md.erb +64 -64
  108. data/docs/resources/json.md.erb +63 -63
  109. data/docs/resources/kernel_module.md.erb +120 -120
  110. data/docs/resources/kernel_parameter.md.erb +53 -53
  111. data/docs/resources/key_rsa.md.erb +85 -85
  112. data/docs/resources/launchd_service.md.erb +57 -57
  113. data/docs/resources/limits_conf.md.erb +75 -75
  114. data/docs/resources/login_defs.md.erb +71 -71
  115. data/docs/resources/mount.md.erb +69 -69
  116. data/docs/resources/mssql_session.md.erb +60 -60
  117. data/docs/resources/mysql_conf.md.erb +99 -99
  118. data/docs/resources/mysql_session.md.erb +74 -74
  119. data/docs/resources/nginx.md.erb +79 -79
  120. data/docs/resources/nginx_conf.md.erb +138 -138
  121. data/docs/resources/npm.md.erb +60 -60
  122. data/docs/resources/ntp_conf.md.erb +60 -60
  123. data/docs/resources/oneget.md.erb +53 -53
  124. data/docs/resources/oracledb_session.md.erb +52 -52
  125. data/docs/resources/os.md.erb +141 -141
  126. data/docs/resources/os_env.md.erb +91 -91
  127. data/docs/resources/package.md.erb +120 -120
  128. data/docs/resources/packages.md.erb +67 -67
  129. data/docs/resources/parse_config.md.erb +103 -103
  130. data/docs/resources/parse_config_file.md.erb +138 -138
  131. data/docs/resources/passwd.md.erb +141 -141
  132. data/docs/resources/pip.md.erb +67 -67
  133. data/docs/resources/port.md.erb +137 -137
  134. data/docs/resources/postgres_conf.md.erb +79 -79
  135. data/docs/resources/postgres_hba_conf.md.erb +93 -93
  136. data/docs/resources/postgres_ident_conf.md.erb +76 -76
  137. data/docs/resources/postgres_session.md.erb +69 -69
  138. data/docs/resources/powershell.md.erb +102 -102
  139. data/docs/resources/processes.md.erb +109 -109
  140. data/docs/resources/rabbitmq_config.md.erb +41 -41
  141. data/docs/resources/registry_key.md.erb +158 -158
  142. data/docs/resources/runit_service.md.erb +57 -57
  143. data/docs/resources/security_policy.md.erb +47 -47
  144. data/docs/resources/service.md.erb +121 -121
  145. data/docs/resources/shadow.md.erb +146 -146
  146. data/docs/resources/ssh_config.md.erb +73 -73
  147. data/docs/resources/sshd_config.md.erb +83 -83
  148. data/docs/resources/ssl.md.erb +119 -119
  149. data/docs/resources/sys_info.md.erb +42 -42
  150. data/docs/resources/systemd_service.md.erb +57 -57
  151. data/docs/resources/sysv_service.md.erb +57 -57
  152. data/docs/resources/upstart_service.md.erb +57 -57
  153. data/docs/resources/user.md.erb +140 -140
  154. data/docs/resources/users.md.erb +127 -127
  155. data/docs/resources/vbscript.md.erb +55 -55
  156. data/docs/resources/virtualization.md.erb +57 -57
  157. data/docs/resources/windows_feature.md.erb +47 -47
  158. data/docs/resources/windows_hotfix.md.erb +53 -53
  159. data/docs/resources/windows_task.md.erb +95 -95
  160. data/docs/resources/wmi.md.erb +81 -81
  161. data/docs/resources/x509_certificate.md.erb +151 -151
  162. data/docs/resources/xinetd_conf.md.erb +156 -156
  163. data/docs/resources/xml.md.erb +85 -85
  164. data/docs/resources/yaml.md.erb +69 -69
  165. data/docs/resources/yum.md.erb +98 -98
  166. data/docs/resources/zfs_dataset.md.erb +53 -53
  167. data/docs/resources/zfs_pool.md.erb +47 -47
  168. data/docs/ruby_usage.md +203 -203
  169. data/docs/shared/matcher_be.md.erb +1 -1
  170. data/docs/shared/matcher_cmp.md.erb +43 -43
  171. data/docs/shared/matcher_eq.md.erb +3 -3
  172. data/docs/shared/matcher_include.md.erb +1 -1
  173. data/docs/shared/matcher_match.md.erb +1 -1
  174. data/docs/shell.md +217 -217
  175. data/examples/README.md +8 -8
  176. data/examples/inheritance/README.md +65 -65
  177. data/examples/inheritance/controls/example.rb +14 -14
  178. data/examples/inheritance/inspec.yml +15 -15
  179. data/examples/kitchen-ansible/.kitchen.yml +25 -25
  180. data/examples/kitchen-ansible/Gemfile +19 -19
  181. data/examples/kitchen-ansible/README.md +53 -53
  182. data/examples/kitchen-ansible/files/nginx.repo +6 -6
  183. data/examples/kitchen-ansible/tasks/main.yml +16 -16
  184. data/examples/kitchen-ansible/test/integration/default/default.yml +5 -5
  185. data/examples/kitchen-ansible/test/integration/default/web_spec.rb +28 -28
  186. data/examples/kitchen-chef/.kitchen.yml +20 -20
  187. data/examples/kitchen-chef/Berksfile +3 -3
  188. data/examples/kitchen-chef/Gemfile +19 -19
  189. data/examples/kitchen-chef/README.md +27 -27
  190. data/examples/kitchen-chef/metadata.rb +7 -7
  191. data/examples/kitchen-chef/recipes/default.rb +6 -6
  192. data/examples/kitchen-chef/recipes/nginx.rb +30 -30
  193. data/examples/kitchen-chef/test/integration/default/web_spec.rb +28 -28
  194. data/examples/kitchen-puppet/.kitchen.yml +23 -23
  195. data/examples/kitchen-puppet/Gemfile +20 -20
  196. data/examples/kitchen-puppet/Puppetfile +25 -25
  197. data/examples/kitchen-puppet/README.md +53 -53
  198. data/examples/kitchen-puppet/manifests/site.pp +33 -33
  199. data/examples/kitchen-puppet/metadata.json +11 -11
  200. data/examples/kitchen-puppet/modules/.gitkeep +0 -0
  201. data/examples/kitchen-puppet/test/integration/default/web_spec.rb +28 -28
  202. data/examples/meta-profile/README.md +37 -37
  203. data/examples/meta-profile/controls/example.rb +13 -13
  204. data/examples/meta-profile/inspec.yml +13 -13
  205. data/examples/profile-attribute.yml +2 -2
  206. data/examples/profile-attribute/README.md +14 -14
  207. data/examples/profile-attribute/controls/example.rb +11 -11
  208. data/examples/profile-attribute/inspec.yml +8 -8
  209. data/examples/profile-aws/controls/iam_password_policy_expiration.rb +8 -8
  210. data/examples/profile-aws/controls/iam_password_policy_max_age.rb +8 -8
  211. data/examples/profile-aws/controls/iam_root_user_mfa.rb +8 -8
  212. data/examples/profile-aws/controls/iam_users_access_key_age.rb +8 -8
  213. data/examples/profile-aws/controls/iam_users_console_users_mfa.rb +8 -8
  214. data/examples/profile-aws/inspec.yml +11 -11
  215. data/examples/profile-azure/controls/azure_resource_group_example.rb +24 -24
  216. data/examples/profile-azure/controls/azure_vm_example.rb +29 -29
  217. data/examples/profile-azure/inspec.yml +11 -11
  218. data/examples/profile-sensitive/README.md +29 -29
  219. data/examples/profile-sensitive/controls/sensitive-failures.rb +9 -9
  220. data/examples/profile-sensitive/controls/sensitive.rb +9 -9
  221. data/examples/profile-sensitive/inspec.yml +8 -8
  222. data/examples/profile/README.md +48 -48
  223. data/examples/profile/controls/example.rb +23 -23
  224. data/examples/profile/controls/gordon.rb +36 -36
  225. data/examples/profile/controls/meta.rb +34 -34
  226. data/examples/profile/inspec.yml +10 -10
  227. data/examples/profile/libraries/gordon_config.rb +59 -59
  228. data/inspec.gemspec +49 -49
  229. data/lib/bundles/README.md +3 -3
  230. data/lib/bundles/inspec-artifact.rb +7 -7
  231. data/lib/bundles/inspec-artifact/README.md +1 -1
  232. data/lib/bundles/inspec-artifact/cli.rb +277 -277
  233. data/lib/bundles/inspec-compliance.rb +16 -16
  234. data/lib/bundles/inspec-compliance/.kitchen.yml +20 -20
  235. data/lib/bundles/inspec-compliance/README.md +193 -193
  236. data/lib/bundles/inspec-compliance/api.rb +360 -360
  237. data/lib/bundles/inspec-compliance/api/login.rb +193 -193
  238. data/lib/bundles/inspec-compliance/bootstrap.sh +41 -41
  239. data/lib/bundles/inspec-compliance/cli.rb +260 -260
  240. data/lib/bundles/inspec-compliance/configuration.rb +103 -103
  241. data/lib/bundles/inspec-compliance/http.rb +125 -125
  242. data/lib/bundles/inspec-compliance/images/cc-token.png +0 -0
  243. data/lib/bundles/inspec-compliance/support.rb +36 -36
  244. data/lib/bundles/inspec-compliance/target.rb +112 -112
  245. data/lib/bundles/inspec-compliance/test/integration/default/cli.rb +93 -93
  246. data/lib/bundles/inspec-habitat.rb +12 -12
  247. data/lib/bundles/inspec-habitat/cli.rb +36 -36
  248. data/lib/bundles/inspec-habitat/log.rb +10 -10
  249. data/lib/bundles/inspec-habitat/profile.rb +391 -391
  250. data/lib/bundles/inspec-init.rb +8 -8
  251. data/lib/bundles/inspec-init/README.md +31 -31
  252. data/lib/bundles/inspec-init/cli.rb +97 -97
  253. data/lib/bundles/inspec-init/templates/profile/README.md +3 -3
  254. data/lib/bundles/inspec-init/templates/profile/controls/example.rb +19 -19
  255. data/lib/bundles/inspec-init/templates/profile/inspec.yml +8 -8
  256. data/lib/bundles/inspec-init/templates/profile/libraries/.gitkeep +0 -0
  257. data/lib/bundles/inspec-supermarket.rb +13 -13
  258. data/lib/bundles/inspec-supermarket/README.md +45 -45
  259. data/lib/bundles/inspec-supermarket/api.rb +84 -84
  260. data/lib/bundles/inspec-supermarket/cli.rb +73 -73
  261. data/lib/bundles/inspec-supermarket/target.rb +34 -34
  262. data/lib/fetchers/git.rb +163 -163
  263. data/lib/fetchers/local.rb +74 -74
  264. data/lib/fetchers/mock.rb +35 -35
  265. data/lib/fetchers/url.rb +247 -247
  266. data/lib/inspec.rb +24 -24
  267. data/lib/inspec/archive/tar.rb +29 -29
  268. data/lib/inspec/archive/zip.rb +19 -19
  269. data/lib/inspec/backend.rb +93 -93
  270. data/lib/inspec/base_cli.rb +368 -368
  271. data/lib/inspec/cached_fetcher.rb +66 -66
  272. data/lib/inspec/cli.rb +292 -292
  273. data/lib/inspec/completions/bash.sh.erb +45 -45
  274. data/lib/inspec/completions/fish.sh.erb +34 -34
  275. data/lib/inspec/completions/zsh.sh.erb +61 -61
  276. data/lib/inspec/control_eval_context.rb +179 -179
  277. data/lib/inspec/dependencies/cache.rb +72 -72
  278. data/lib/inspec/dependencies/dependency_set.rb +92 -92
  279. data/lib/inspec/dependencies/lockfile.rb +115 -115
  280. data/lib/inspec/dependencies/requirement.rb +123 -123
  281. data/lib/inspec/dependencies/resolver.rb +86 -86
  282. data/lib/inspec/describe.rb +27 -27
  283. data/lib/inspec/dsl.rb +66 -66
  284. data/lib/inspec/dsl_shared.rb +33 -33
  285. data/lib/inspec/env_printer.rb +157 -157
  286. data/lib/inspec/errors.rb +14 -14
  287. data/lib/inspec/exceptions.rb +12 -12
  288. data/lib/inspec/expect.rb +45 -45
  289. data/lib/inspec/fetcher.rb +45 -45
  290. data/lib/inspec/file_provider.rb +275 -275
  291. data/lib/inspec/formatters.rb +3 -3
  292. data/lib/inspec/formatters/base.rb +259 -259
  293. data/lib/inspec/formatters/json_rspec.rb +20 -20
  294. data/lib/inspec/formatters/show_progress.rb +12 -12
  295. data/lib/inspec/library_eval_context.rb +58 -58
  296. data/lib/inspec/log.rb +11 -11
  297. data/lib/inspec/metadata.rb +247 -247
  298. data/lib/inspec/method_source.rb +24 -24
  299. data/lib/inspec/objects.rb +14 -14
  300. data/lib/inspec/objects/attribute.rb +75 -75
  301. data/lib/inspec/objects/control.rb +61 -61
  302. data/lib/inspec/objects/describe.rb +92 -92
  303. data/lib/inspec/objects/each_loop.rb +36 -36
  304. data/lib/inspec/objects/list.rb +15 -15
  305. data/lib/inspec/objects/or_test.rb +40 -40
  306. data/lib/inspec/objects/ruby_helper.rb +15 -15
  307. data/lib/inspec/objects/tag.rb +27 -27
  308. data/lib/inspec/objects/test.rb +87 -87
  309. data/lib/inspec/objects/value.rb +27 -27
  310. data/lib/inspec/plugins.rb +60 -60
  311. data/lib/inspec/plugins/cli.rb +24 -24
  312. data/lib/inspec/plugins/fetcher.rb +86 -86
  313. data/lib/inspec/plugins/resource.rb +135 -135
  314. data/lib/inspec/plugins/secret.rb +15 -15
  315. data/lib/inspec/plugins/source_reader.rb +40 -40
  316. data/lib/inspec/polyfill.rb +12 -12
  317. data/lib/inspec/profile.rb +513 -513
  318. data/lib/inspec/profile_context.rb +208 -208
  319. data/lib/inspec/profile_vendor.rb +66 -66
  320. data/lib/inspec/reporters.rb +60 -60
  321. data/lib/inspec/reporters/automate.rb +76 -76
  322. data/lib/inspec/reporters/base.rb +25 -25
  323. data/lib/inspec/reporters/cli.rb +356 -356
  324. data/lib/inspec/reporters/json.rb +117 -117
  325. data/lib/inspec/reporters/json_min.rb +48 -48
  326. data/lib/inspec/reporters/junit.rb +78 -78
  327. data/lib/inspec/require_loader.rb +33 -33
  328. data/lib/inspec/resource.rb +190 -190
  329. data/lib/inspec/rule.rb +280 -280
  330. data/lib/inspec/runner.rb +345 -345
  331. data/lib/inspec/runner_mock.rb +41 -41
  332. data/lib/inspec/runner_rspec.rb +175 -175
  333. data/lib/inspec/runtime_profile.rb +26 -26
  334. data/lib/inspec/schema.rb +213 -213
  335. data/lib/inspec/secrets.rb +19 -19
  336. data/lib/inspec/secrets/yaml.rb +30 -30
  337. data/lib/inspec/shell.rb +220 -220
  338. data/lib/inspec/shell_detector.rb +90 -90
  339. data/lib/inspec/source_reader.rb +29 -29
  340. data/lib/inspec/version.rb +8 -8
  341. data/lib/matchers/matchers.rb +339 -339
  342. data/lib/resource_support/aws.rb +50 -50
  343. data/lib/resource_support/aws/aws_backend_base.rb +12 -12
  344. data/lib/resource_support/aws/aws_backend_factory_mixin.rb +12 -12
  345. data/lib/resource_support/aws/aws_plural_resource_mixin.rb +21 -21
  346. data/lib/resource_support/aws/aws_resource_mixin.rb +66 -66
  347. data/lib/resource_support/aws/aws_singular_resource_mixin.rb +24 -24
  348. data/lib/resources/aide_conf.rb +151 -151
  349. data/lib/resources/apache.rb +48 -48
  350. data/lib/resources/apache_conf.rb +149 -149
  351. data/lib/resources/apt.rb +149 -149
  352. data/lib/resources/audit_policy.rb +63 -63
  353. data/lib/resources/auditd.rb +231 -231
  354. data/lib/resources/auditd_conf.rb +46 -46
  355. data/lib/resources/aws/aws_cloudtrail_trail.rb +93 -93
  356. data/lib/resources/aws/aws_cloudtrail_trails.rb +47 -47
  357. data/lib/resources/aws/aws_cloudwatch_alarm.rb +62 -62
  358. data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +100 -100
  359. data/lib/resources/aws/aws_config_delivery_channel.rb +70 -70
  360. data/lib/resources/aws/aws_config_recorder.rb +93 -93
  361. data/lib/resources/aws/aws_ec2_instance.rb +157 -157
  362. data/lib/resources/aws/aws_ec2_instances.rb +64 -64
  363. data/lib/resources/aws/aws_iam_access_key.rb +106 -106
  364. data/lib/resources/aws/aws_iam_access_keys.rb +149 -149
  365. data/lib/resources/aws/aws_iam_group.rb +58 -58
  366. data/lib/resources/aws/aws_iam_groups.rb +52 -52
  367. data/lib/resources/aws/aws_iam_password_policy.rb +116 -116
  368. data/lib/resources/aws/aws_iam_policies.rb +53 -53
  369. data/lib/resources/aws/aws_iam_policy.rb +291 -291
  370. data/lib/resources/aws/aws_iam_role.rb +55 -55
  371. data/lib/resources/aws/aws_iam_root_user.rb +78 -78
  372. data/lib/resources/aws/aws_iam_user.rb +142 -142
  373. data/lib/resources/aws/aws_iam_users.rb +146 -146
  374. data/lib/resources/aws/aws_kms_key.rb +96 -96
  375. data/lib/resources/aws/aws_kms_keys.rb +53 -53
  376. data/lib/resources/aws/aws_rds_instance.rb +71 -71
  377. data/lib/resources/aws/aws_route_table.rb +63 -63
  378. data/lib/resources/aws/aws_route_tables.rb +60 -60
  379. data/lib/resources/aws/aws_s3_bucket.rb +137 -137
  380. data/lib/resources/aws/aws_s3_bucket_object.rb +82 -82
  381. data/lib/resources/aws/aws_s3_buckets.rb +51 -51
  382. data/lib/resources/aws/aws_security_group.rb +249 -249
  383. data/lib/resources/aws/aws_security_groups.rb +68 -68
  384. data/lib/resources/aws/aws_sns_subscription.rb +78 -78
  385. data/lib/resources/aws/aws_sns_topic.rb +53 -53
  386. data/lib/resources/aws/aws_sns_topics.rb +56 -56
  387. data/lib/resources/aws/aws_subnet.rb +88 -88
  388. data/lib/resources/aws/aws_subnets.rb +53 -53
  389. data/lib/resources/aws/aws_vpc.rb +73 -73
  390. data/lib/resources/aws/aws_vpcs.rb +52 -52
  391. data/lib/resources/azure/azure_backend.rb +377 -377
  392. data/lib/resources/azure/azure_generic_resource.rb +59 -59
  393. data/lib/resources/azure/azure_resource_group.rb +152 -152
  394. data/lib/resources/azure/azure_virtual_machine.rb +264 -264
  395. data/lib/resources/azure/azure_virtual_machine_data_disk.rb +134 -134
  396. data/lib/resources/bash.rb +35 -35
  397. data/lib/resources/bond.rb +69 -69
  398. data/lib/resources/bridge.rb +122 -122
  399. data/lib/resources/chocolatey_package.rb +78 -78
  400. data/lib/resources/command.rb +73 -73
  401. data/lib/resources/cpan.rb +58 -58
  402. data/lib/resources/cran.rb +64 -64
  403. data/lib/resources/crontab.rb +169 -169
  404. data/lib/resources/csv.rb +56 -56
  405. data/lib/resources/dh_params.rb +77 -77
  406. data/lib/resources/directory.rb +25 -25
  407. data/lib/resources/docker.rb +236 -236
  408. data/lib/resources/docker_container.rb +89 -89
  409. data/lib/resources/docker_image.rb +83 -83
  410. data/lib/resources/docker_object.rb +57 -57
  411. data/lib/resources/docker_service.rb +90 -90
  412. data/lib/resources/elasticsearch.rb +169 -169
  413. data/lib/resources/etc_fstab.rb +94 -94
  414. data/lib/resources/etc_group.rb +154 -154
  415. data/lib/resources/etc_hosts.rb +66 -66
  416. data/lib/resources/etc_hosts_allow_deny.rb +112 -112
  417. data/lib/resources/file.rb +298 -298
  418. data/lib/resources/filesystem.rb +31 -31
  419. data/lib/resources/firewalld.rb +143 -143
  420. data/lib/resources/gem.rb +70 -70
  421. data/lib/resources/groups.rb +215 -215
  422. data/lib/resources/grub_conf.rb +227 -227
  423. data/lib/resources/host.rb +306 -306
  424. data/lib/resources/http.rb +253 -253
  425. data/lib/resources/iis_app.rb +101 -101
  426. data/lib/resources/iis_site.rb +148 -148
  427. data/lib/resources/inetd_conf.rb +54 -54
  428. data/lib/resources/ini.rb +29 -29
  429. data/lib/resources/interface.rb +129 -129
  430. data/lib/resources/iptables.rb +80 -80
  431. data/lib/resources/json.rb +111 -111
  432. data/lib/resources/kernel_module.rb +107 -107
  433. data/lib/resources/kernel_parameter.rb +58 -58
  434. data/lib/resources/key_rsa.rb +63 -63
  435. data/lib/resources/limits_conf.rb +46 -46
  436. data/lib/resources/login_def.rb +57 -57
  437. data/lib/resources/mount.rb +88 -88
  438. data/lib/resources/mssql_session.rb +101 -101
  439. data/lib/resources/mysql.rb +82 -82
  440. data/lib/resources/mysql_conf.rb +127 -127
  441. data/lib/resources/mysql_session.rb +85 -85
  442. data/lib/resources/nginx.rb +96 -96
  443. data/lib/resources/nginx_conf.rb +226 -226
  444. data/lib/resources/npm.rb +48 -48
  445. data/lib/resources/ntp_conf.rb +51 -51
  446. data/lib/resources/oneget.rb +71 -71
  447. data/lib/resources/oracledb_session.rb +139 -139
  448. data/lib/resources/os.rb +36 -36
  449. data/lib/resources/os_env.rb +86 -86
  450. data/lib/resources/package.rb +370 -370
  451. data/lib/resources/packages.rb +111 -111
  452. data/lib/resources/parse_config.rb +112 -112
  453. data/lib/resources/passwd.rb +76 -76
  454. data/lib/resources/pip.rb +130 -130
  455. data/lib/resources/platform.rb +109 -109
  456. data/lib/resources/port.rb +771 -771
  457. data/lib/resources/postgres.rb +131 -131
  458. data/lib/resources/postgres_conf.rb +114 -114
  459. data/lib/resources/postgres_hba_conf.rb +90 -90
  460. data/lib/resources/postgres_ident_conf.rb +79 -79
  461. data/lib/resources/postgres_session.rb +71 -71
  462. data/lib/resources/powershell.rb +67 -67
  463. data/lib/resources/processes.rb +204 -204
  464. data/lib/resources/rabbitmq_conf.rb +51 -51
  465. data/lib/resources/registry_key.rb +297 -297
  466. data/lib/resources/security_policy.rb +180 -180
  467. data/lib/resources/service.rb +794 -794
  468. data/lib/resources/shadow.rb +159 -159
  469. data/lib/resources/ssh_conf.rb +97 -97
  470. data/lib/resources/ssl.rb +99 -99
  471. data/lib/resources/sys_info.rb +28 -28
  472. data/lib/resources/toml.rb +32 -32
  473. data/lib/resources/users.rb +654 -654
  474. data/lib/resources/vbscript.rb +68 -68
  475. data/lib/resources/virtualization.rb +247 -247
  476. data/lib/resources/windows_feature.rb +84 -84
  477. data/lib/resources/windows_hotfix.rb +35 -35
  478. data/lib/resources/windows_task.rb +102 -102
  479. data/lib/resources/wmi.rb +110 -110
  480. data/lib/resources/x509_certificate.rb +137 -137
  481. data/lib/resources/xinetd.rb +106 -106
  482. data/lib/resources/xml.rb +46 -46
  483. data/lib/resources/yaml.rb +43 -43
  484. data/lib/resources/yum.rb +180 -180
  485. data/lib/resources/zfs_dataset.rb +60 -60
  486. data/lib/resources/zfs_pool.rb +49 -49
  487. data/lib/source_readers/flat.rb +39 -39
  488. data/lib/source_readers/inspec.rb +75 -75
  489. data/lib/utils/command_wrapper.rb +27 -27
  490. data/lib/utils/convert.rb +12 -12
  491. data/lib/utils/database_helpers.rb +77 -77
  492. data/lib/utils/enumerable_delegation.rb +9 -9
  493. data/lib/utils/erlang_parser.rb +192 -192
  494. data/lib/utils/file_reader.rb +25 -25
  495. data/lib/utils/filter.rb +273 -273
  496. data/lib/utils/filter_array.rb +27 -27
  497. data/lib/utils/find_files.rb +47 -47
  498. data/lib/utils/hash.rb +41 -41
  499. data/lib/utils/json_log.rb +18 -18
  500. data/lib/utils/latest_version.rb +22 -22
  501. data/lib/utils/modulator.rb +12 -12
  502. data/lib/utils/nginx_parser.rb +105 -105
  503. data/lib/utils/object_traversal.rb +49 -49
  504. data/lib/utils/parser.rb +274 -274
  505. data/lib/utils/pkey_reader.rb +15 -15
  506. data/lib/utils/plugin_registry.rb +93 -93
  507. data/lib/utils/simpleconfig.rb +120 -120
  508. data/lib/utils/spdx.rb +13 -13
  509. data/lib/utils/spdx.txt +343 -343
  510. metadata +3 -3
@@ -1,89 +1,89 @@
1
- ---
2
- title: About the aws_s3_bucket_object Resource
3
- ---
4
-
5
- # aws\_s3\_bucket\_object
6
-
7
- Use the `aws_s3_bucket_object` InSpec audit resource to test properties of a single AWS bucket object.
8
-
9
- Each S3 Object has a 'key' which can be thought of as the name of the S3 Object which uniquely identifies it.
10
-
11
-
12
- <br>
13
-
14
- ## Limitations
15
-
16
- S3 object security is a complex matter. For details on how AWS evaluates requests for access, please see [the AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html). S3 buckets and the objects they contain support three different types of access control: bucket ACLs, bucket policies, and object ACLs.
17
-
18
- As of January 2018, this resource supports evaluating S3 Object ACLs. In particular, users of the `be_public` matcher should carefully examine the conditions under which the matcher will detect an insecure bucket. See the `be_public` section under the Matchers section below.
19
-
20
- ## Syntax
21
-
22
- An `aws_s3_bucket_object` resource block declares a bucket and an object key by name, and then lists tests to be performed.
23
-
24
- describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_object_key') do
25
- it { should exist }
26
- it { should_not be_public }
27
- end
28
-
29
- <br>
30
-
31
- ## Examples
32
-
33
- The following examples show how to use this InSpec audit resource.
34
-
35
- ### Test a object's object-level ACL
36
-
37
- describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do
38
- its('object_acl.count') { should eq 1 }
39
- end
40
-
41
- ### Check to see if a object appears to be exposed to the public
42
-
43
- # See Limitations section above
44
- describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do
45
- it { should_not be_public }
46
- end
47
- <br>
48
-
49
- ## Unsupported Properties
50
-
51
- ### object\_acl
52
-
53
- The `object_acl` property is a low-level property that lists the individual Object ACL grants that are in effect on the object. Other higher-level properties, such as be\_public, are more concise and easier to use. You can use the `object_acl` property to investigate which grants are in effect, causing be\_public to fail.
54
-
55
- The value of object_acl is an Array of simple objects. Each object has a `permission` property and a `grantee` property. The `permission` property will be a string such as 'READ', 'WRITE' etc (See the [AWS documentation](https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Client.html#get_bucket_acl-instance_method) for a full list). The `grantee` property contains sub-properties, such as `type` and `uri`.
56
-
57
-
58
- object_acl = aws_s3_bucket_object(bucket_name: 'my_bucket', key: 'object_key')
59
-
60
- # Look for grants to "AllUsers" (that is, the public)
61
- all_users_grants = object_acl.select do |g|
62
- g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
63
- end
64
-
65
- # Look for grants to "AuthenticatedUsers" (that is, any authenticated AWS user - nearly public)
66
- auth_grants = object_acl.select do |g|
67
- g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
68
- end
69
-
70
- ## Matchers
71
-
72
- This InSpec audit resource has the following special matchers. For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
73
-
74
- ### be\_public
75
-
76
- The `be_public` matcher tests if the object has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure object if any of the following conditions are met:
77
-
78
- 1. A object ACL grant exists for the 'AllUsers' group
79
- 2. A object ACL grant exists for the 'AuthenticatedUsers' group
80
-
81
- Note: This resource does not detect insecure bucket ACLs.
82
-
83
- it { should_not be_public }
84
-
85
- ## AWS Permissions
86
-
87
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `s3:GetObject`, and `s3:GetObjectAcl` actions set to allow.
88
-
89
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html).
1
+ ---
2
+ title: About the aws_s3_bucket_object Resource
3
+ ---
4
+
5
+ # aws\_s3\_bucket\_object
6
+
7
+ Use the `aws_s3_bucket_object` InSpec audit resource to test properties of a single AWS bucket object.
8
+
9
+ Each S3 Object has a 'key' which can be thought of as the name of the S3 Object which uniquely identifies it.
10
+
11
+
12
+ <br>
13
+
14
+ ## Limitations
15
+
16
+ S3 object security is a complex matter. For details on how AWS evaluates requests for access, please see [the AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html). S3 buckets and the objects they contain support three different types of access control: bucket ACLs, bucket policies, and object ACLs.
17
+
18
+ As of January 2018, this resource supports evaluating S3 Object ACLs. In particular, users of the `be_public` matcher should carefully examine the conditions under which the matcher will detect an insecure bucket. See the `be_public` section under the Matchers section below.
19
+
20
+ ## Syntax
21
+
22
+ An `aws_s3_bucket_object` resource block declares a bucket and an object key by name, and then lists tests to be performed.
23
+
24
+ describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_object_key') do
25
+ it { should exist }
26
+ it { should_not be_public }
27
+ end
28
+
29
+ <br>
30
+
31
+ ## Examples
32
+
33
+ The following examples show how to use this InSpec audit resource.
34
+
35
+ ### Test a object's object-level ACL
36
+
37
+ describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do
38
+ its('object_acl.count') { should eq 1 }
39
+ end
40
+
41
+ ### Check to see if a object appears to be exposed to the public
42
+
43
+ # See Limitations section above
44
+ describe aws_s3_bucket_object(bucket_name: 'test_bucket', key: 'test_key') do
45
+ it { should_not be_public }
46
+ end
47
+ <br>
48
+
49
+ ## Unsupported Properties
50
+
51
+ ### object\_acl
52
+
53
+ The `object_acl` property is a low-level property that lists the individual Object ACL grants that are in effect on the object. Other higher-level properties, such as be\_public, are more concise and easier to use. You can use the `object_acl` property to investigate which grants are in effect, causing be\_public to fail.
54
+
55
+ The value of object_acl is an Array of simple objects. Each object has a `permission` property and a `grantee` property. The `permission` property will be a string such as 'READ', 'WRITE' etc (See the [AWS documentation](https://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Client.html#get_bucket_acl-instance_method) for a full list). The `grantee` property contains sub-properties, such as `type` and `uri`.
56
+
57
+
58
+ object_acl = aws_s3_bucket_object(bucket_name: 'my_bucket', key: 'object_key')
59
+
60
+ # Look for grants to "AllUsers" (that is, the public)
61
+ all_users_grants = object_acl.select do |g|
62
+ g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
63
+ end
64
+
65
+ # Look for grants to "AuthenticatedUsers" (that is, any authenticated AWS user - nearly public)
66
+ auth_grants = object_acl.select do |g|
67
+ g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
68
+ end
69
+
70
+ ## Matchers
71
+
72
+ This InSpec audit resource has the following special matchers. For a full list of available matchers (such as `exist`) please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
73
+
74
+ ### be\_public
75
+
76
+ The `be_public` matcher tests if the object has potentially insecure access controls. This high-level matcher detects several insecure conditions, which may be enhanced in the future. Currently, the matcher reports an insecure object if any of the following conditions are met:
77
+
78
+ 1. A object ACL grant exists for the 'AllUsers' group
79
+ 2. A object ACL grant exists for the 'AuthenticatedUsers' group
80
+
81
+ Note: This resource does not detect insecure bucket ACLs.
82
+
83
+ it { should_not be_public }
84
+
85
+ ## AWS Permissions
86
+
87
+ Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `s3:GetObject`, and `s3:GetObjectAcl` actions set to allow.
88
+
89
+ You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html).
@@ -1,59 +1,59 @@
1
- ---
2
- title: About the aws_s3_buckets Resource
3
- ---
4
-
5
- # aws\_s3\_buckets
6
-
7
- Use the `aws_s3_buckets` InSpec audit resource to list all buckets in a single account.
8
-
9
- Use the `aws_s3_bucket` InSpec audit resource to perform in-depth auditing of a single S3 bucket.
10
-
11
- <br>
12
-
13
- ## Syntax
14
-
15
- An `aws_s3_buckets` resource block takes no arguments
16
-
17
- describe aws_s3_buckets do
18
- it { should exist }
19
- end
20
-
21
- <br>
22
-
23
- ## Examples
24
-
25
- The following examples show how to use this InSpec audit resource.
26
-
27
- As this is the initial release of `aws_s3_buckets`, its limited functionality precludes examples.
28
-
29
- <br>
30
-
31
- ## Matchers
32
-
33
- ### exists
34
-
35
- The control will pass if the resource contains at least one bucket.
36
-
37
- # Test if there are any buckets
38
- describe aws_s3_buckets
39
- it { should exist }
40
- end
41
-
42
- ## Properties
43
-
44
- ### bucket\_names
45
-
46
- Provides an array of strings containing the names of the buckets.
47
-
48
- # Examine what buckets have been created.
49
- describe aws_s3_buckets do
50
- its('bucket_names') { should eq ['my_bucket'] }
51
- # OR
52
- its('bucket_names') { should include 'my_bucket' }
53
- end
54
-
55
- ## AWS Permissions
56
-
57
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `s3:ListAllMyBuckets` action with Effect set to Allow.
58
-
59
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html).
1
+ ---
2
+ title: About the aws_s3_buckets Resource
3
+ ---
4
+
5
+ # aws\_s3\_buckets
6
+
7
+ Use the `aws_s3_buckets` InSpec audit resource to list all buckets in a single account.
8
+
9
+ Use the `aws_s3_bucket` InSpec audit resource to perform in-depth auditing of a single S3 bucket.
10
+
11
+ <br>
12
+
13
+ ## Syntax
14
+
15
+ An `aws_s3_buckets` resource block takes no arguments
16
+
17
+ describe aws_s3_buckets do
18
+ it { should exist }
19
+ end
20
+
21
+ <br>
22
+
23
+ ## Examples
24
+
25
+ The following examples show how to use this InSpec audit resource.
26
+
27
+ As this is the initial release of `aws_s3_buckets`, its limited functionality precludes examples.
28
+
29
+ <br>
30
+
31
+ ## Matchers
32
+
33
+ ### exists
34
+
35
+ The control will pass if the resource contains at least one bucket.
36
+
37
+ # Test if there are any buckets
38
+ describe aws_s3_buckets
39
+ it { should exist }
40
+ end
41
+
42
+ ## Properties
43
+
44
+ ### bucket\_names
45
+
46
+ Provides an array of strings containing the names of the buckets.
47
+
48
+ # Examine what buckets have been created.
49
+ describe aws_s3_buckets do
50
+ its('bucket_names') { should eq ['my_bucket'] }
51
+ # OR
52
+ its('bucket_names') { should include 'my_bucket' }
53
+ end
54
+
55
+ ## AWS Permissions
56
+
57
+ Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `s3:ListAllMyBuckets` action with Effect set to Allow.
58
+
59
+ You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon S3](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html).
@@ -1,296 +1,296 @@
1
- ---
2
- title: About the aws_security_group Resource
3
- ---
4
-
5
- # aws\_security\_group
6
-
7
- Use the `aws_security_group` InSpec audit resource to test detailed properties of an individual Security Group (SG).
8
-
9
- SGs are a networking construct which contain ingress and egress rules for network communications. SGs may be attached to EC2 instances, as well as certain other AWS resources. Along with Network Access Control Lists, SGs are one of the two main mechanisms of enforcing network-level security.
10
-
11
- ## Limitations
12
-
13
- While this resource provides facilities for searching inbound and outbound rules on a variety of criteria, there is currently no support for performing matches based on:
14
-
15
- * IPv6 ranges
16
- * References to other Security Groups
17
- * References to VPC peers or other AWS services (that is, no support for searches based on 'prefix lists').
18
-
19
- <br>
20
-
21
- ## Syntax
22
-
23
- Resource parameters: group_id, group_name, id, vpc_id
24
-
25
- An `aws_security_group` resource block uses resource parameters to search for and then test a Security Group. If no SGs match, no error is raised, but the `exists` matcher returns `false`, and all scalar properties are `nil`. List properties returned under these conditions are empty lists. If more than one SG matches (due to vague search parameters), an error is raised.
26
-
27
- # Ensure you have a Security Group with a specific ID
28
- # This is "safe" - SG IDs are unique within an account
29
- describe aws_security_group('sg-12345678') do
30
- it { should exist }
31
- end
32
-
33
- # Ensure you have a Security Group with a specific ID
34
- # This uses hash syntax
35
- describe aws_security_group(id: 'sg-12345678') do
36
- it { should exist }
37
- end
38
-
39
- # Ensure you have a Security Group with a specific name. Names are
40
- # unique within a VPC but not across VPCs.
41
- # Using only Group returns an error if multiple SGs match.
42
- describe aws_security_group(group_name: 'my-group') do
43
- it { should exist }
44
- end
45
- # Add vpc_id to ensure uniqueness.
46
- describe aws_security_group(group_name: 'my-group', vpc_id: 'vpc-12345678') do
47
- it { should exist }
48
- end
49
-
50
- <br>
51
-
52
- ## Examples
53
-
54
- The following examples show how to use this InSpec audit resource.
55
-
56
- # Ensure that the linux_servers Security Group permits
57
- # SSH from the 10.5.0.0/16 range, but not the world.
58
- describe aws_security_group(group_name: linux_servers) do
59
- # This passes if any inbound rule exists that specifies
60
- # port 22 and the given IP range, regardless of protocol, etc.
61
- it { should allow_in(port: 22, ipv4_range: '10.5.0.0/16') }
62
-
63
- # This passes so long as no inbound rule that specifies port 22 exists
64
- # with a source IP range of 0.0.0.0/0. Other properties are ignored.
65
- it { should_not allow_in(port: 22, ipv4_range: '0.0.0.0/0') }
66
-
67
- end
68
-
69
- # Ensure that the careful_updates Security Group may only initiate contact with specific IPs.
70
- describe aws_security_group(group_name: 'careful_updates') do
71
-
72
- # If you have two rules, with one CIDR each:
73
- [ '10.7.23.12/32', '10.8.23.12/32' ].each do |allowed_destination|
74
- # This doesn't care about which ports are enabled
75
- it { should allow_out(ipv4_range: allowed_destination) }
76
- end
77
-
78
- # If you have one rule with two CIDRs:
79
- it { should allow_out(ipv4_range: [ '10.7.23.12/32', '10.8.23.12/32' ] }
80
-
81
- # Expect exactly three rules.
82
- its('outbound_rules.count') { should cmp 3 }
83
- end
84
-
85
- <br>
86
-
87
- ## Resource Parameters
88
-
89
- This InSpec resource accepts the following parameters, which are used to search for the Security Group.
90
-
91
- ### id, group\_id
92
-
93
- The Security Group ID of the Security Group. This is of the format `sg-` followed by 8 hexadecimal characters. The ID is unique within your AWS account; using ID ensures a match of only one SG. The ID is also the default resource parameter, so you may omit the hash syntax.
94
-
95
- # Using Hash syntax
96
- describe aws_security_group(id: 'sg-12345678') do
97
- it { should exist }
98
- end
99
-
100
- # group_id is an alias for id
101
- describe aws_security_group(group_id: 'sg-12345678') do
102
- it { should exist }
103
- end
104
-
105
- # Or omit hash syntax, rely on it being the default parameter
106
- describe aws_security_group('sg-12345678') do
107
- it { should exist }
108
- end
109
-
110
- ### group\_name
111
-
112
- The string name of the Security Group. Every VPC has a Security Group named 'default'. Names are unique within a VPC, but not within an AWS account.
113
-
114
- # Get default Security Group for a specific VPC
115
- describe aws_security_group(group_name: 'default', vpc_id: vpc_id: 'vpc-12345678') do
116
- it { should exist }
117
- end
118
-
119
- # This throws an error if more than one VPC has a 'backend' SG.
120
- describe aws_security_group(group_name: 'backend') do
121
- it { should exist }
122
- end
123
-
124
- ### vpc\_id
125
-
126
- A string identifying the VPC that contains the Security Group. Since VPCs commonly contain many SGs, you should add additional parameters to ensure you find exactly one SG.
127
-
128
- # This throws an error if more than the default SG exists
129
- describe aws_security_group(vpc_id: 'vpc-12345678') do
130
- it { should exist }
131
- end
132
-
133
- <br>
134
- ## Properties
135
-
136
- * [`description`](#description), [`group_id`](#group_id), [`group_name`](#group_name), [`inbound_rules`](#inbound_rules), [`outbound_rules`](#outbound_rules), [`vpc_id`](#vpc_id)
137
-
138
- <br>
139
-
140
- ## Property Examples
141
-
142
- ### description
143
-
144
- A String reflecting the human-meaningful description that was given to the SG at creation time.
145
-
146
- # Require a description of a particular Security Group
147
- describe aws_security_group('sg-12345678') do
148
- its('description') { should_not be_empty }
149
- end
150
-
151
- ### group\_id
152
-
153
- Provides the Security Group ID.
154
-
155
- # Inspect the Security group ID of the default Group
156
- describe aws_security_group(group_name: 'default', vpc_id: vpc_id: 'vpc-12345678') do
157
- its('group_id') { should cmp 'sg-12345678' }
158
- end
159
-
160
- # Store the Group ID in a Ruby variable for use elsewhere
161
- sg_id = aws_security_group(group_name: 'default', vpc_id: vpc_id: 'vpc-12345678').group_id
162
-
163
- ### group\_name
164
-
165
- A String reflecting the name that was given to the SG at creation time.
166
-
167
- # Inspect the Group name of a particular Group
168
- describe aws_security_group('sg-12345678') do
169
- its('group_name') { should cmp 'my_group' }
170
- end
171
-
172
- ### inbound\_rules
173
-
174
- A list of the rules that the Security Group applies to incoming network traffic. This is a low-level property that is used by the [`allow_in`](#allow_in) and [`allow_in_only`](#allow_in_only) matchers; see them for detailed examples. `inbound_rules` is provided here for those wishing to use Ruby code to inspect the rules directly, instead of using higher-level matchers.
175
-
176
- Order is critical in these rules, as the sequentially first rule to match is applied to network traffic. By default, AWS includes a reject-all rule as the last inbound rule. This implicit rule does not appear in the inbound_rules list.
177
-
178
- If the Security Group could not be found (that is, `exists` is false), `inbound_rules` returns an empty list.
179
-
180
- describe aws_security_group(group_name: linux_servers) do
181
- its('inbound_rules.first') { should include(from_port: '22', ip_ranges: ['10.2.17.0/24']) }
182
- end
183
-
184
- ### outbound\_rules
185
-
186
- A list of the rules that the Security Group applies to outgoing network traffic initiated by the AWS resource in the Security Group. This is a low-level property that is used by the [`allow_out`](#allow_out) matcher; see it for detailed examples. `outbound_rules` is provided here for those wishing to use Ruby code to inspect the rules directly, instead of using higher-level matchers.
187
-
188
- Order is critical in these rules, as the sequentially first rule to match is applied to network traffic. Outbound rules are typically used when it is desirable to restrict which portions of the internet, if any, a resource may access. By default, AWS includes an allow-all rule as the last outbound rule; note that Terraform removes this implicit rule.
189
-
190
- If the Security Group could not be found (that is, `exists` is false), `outbound_rules` returns an empty list.
191
-
192
- describe aws_security_group(group_name: isolated_servers) do
193
- its('outbound_rules.last') { should_not include(ip_ranges:['0.0.0.0/0']) }
194
- end
195
-
196
- ### vpc\_id
197
-
198
- A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VPC that contains the Security Group.
199
-
200
- # Inspec the VPC ID of a particular Group
201
- describe aws_security_group('sg-12345678') do
202
- its('vpc_id') { should cmp 'vpc-12345678' }
203
- end
204
-
205
- <br>
206
-
207
- ## Matchers
208
-
209
- This InSpec audit resource has the following special matchers. For a full list of additional available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
210
-
211
- * [`allow_in`](#allow_in), [`allow_in_only`](#allow_in_only), [`allow_out`](#allow_out), [`allow_out_only`](#allow_out_only)
212
-
213
- ### allow\_in
214
-
215
- ### allow\_out
216
-
217
- ### allow\_in\_only
218
-
219
- ### allow\_out\_only
220
-
221
- The `allow` series of matchers enable you to perform queries about what network traffic would be permitted through the Security Group rule set.
222
-
223
- `allow_in` and `allow_in_exactly` examine inbound rules, and `allow_out` and `allow_out_exactly` examine outbound rules.
224
-
225
- `allow_in` and `allow_out` examine if at least one rule that matches the criteria exists. `allow_in` and `allow_out` also perform inexact (ie, range-based or subset-based) matching on ports and IP addresses ranges, allowing you to specify a candidate port or IP address and determine if it is covered by a rule.
226
-
227
- `allow_in_only` and `allow_out_only` examines if exactly one rule exists (but see `position`, below), and if it matches the criteria (this is useful for ensuring no unexpected rules have been added). Additionally, `allow_in_only` and `allow_out_only` do _not_ perform inexact matching; you must specify exactly the port range or IP address(es) you wish to match.
228
-
229
- The matchers accept a key-value list of search criteria. For a rule to match, it must match all provided criteria.
230
-
231
- * from_port - Determines if a rule exists whose port range begins at the specified number. The word 'from_' does *not* relate to inbound/outbound directionality; it relates to the port range ("counting _from_"). `from_port` is an exact criterion; so if the rule allows 1000-2000 and you specify a `from_port` of 1001, it does not match.
232
- * ipv4_range - Specifies an IPv4 address or subnet as a CIDR, or a list of them, to be checked as a permissible origin (for `allow_in`) or destination (for `allow_out`) for traffic. Each AWS Security Group rule may have multiple allowed source IP ranges.
233
- * port - Determines if a particular TCP/IP port is reachable. allow_in and allow_out examine whether the specified port is included in the port range of a rule, while allow_in. You may specify the port as a string (`'22'`) or as a number.
234
- * position - A one-based index into the list of rules. If provided, this restricts the evaluation to the rule at that position. You may also use the special values `:first` and `:last`. `position` may also be used to enable `allow_in_only` and `allow_out_only` to work with multi-rule Security Groups.
235
- * protocol - Specifies the IP protocol. 'tcp', 'udp', and 'icmp' are some typical values. The string "-1" or 'any' is used to indicate any protocol.
236
- * to_port - Determines if a rule exists whose port range ends at the specified number. The word 'to_' does *not* relate to inbound/outbound directionality; it relates to the port range ("counting _to_"). `to_port` is an exact criterion; so if the rule allows 1000-2000 and you specify a `to_port` of 1999, it does not match.
237
-
238
- describe aws_security_group(group_name: 'mixed-functionality-group') do
239
- # Allow RDP from defined range
240
- it { should allow_in(port: 3389, ipv4_range: '10.5.0.0/16') }
241
-
242
- # Allow SSH from two ranges
243
- it { should allow_in(port: 22, ipv4_range: ['10.5.0.0/16', '10.2.3.0/24']) }
244
-
245
- # Check Bacula port range
246
- it { should allow_in(from_port: 9101, to_port: 9103, ipv4_range: '10.6.7.0/24') }
247
-
248
- # Assuming the AWS SG allows 9001-9003, use inexact matching to check 9002
249
- it { should allow_in(port: 9002) }
250
-
251
- # Assuming the AWS SG allows 10.2.1.0/24, use inexact matching to check 10.2.1.33/32
252
- it { should allow_in(ipv4_range: '10.2.1.33/32') }
253
-
254
- # Ensure the 3rd outbound rule is TCP-based
255
- it { should allow_in(protocol: 'tcp', position: 3') }
256
-
257
- # Do not allow unrestricted IPv4 access.
258
- it { should_not allow_in(ipv4_range: '0.0.0.0/0') }
259
- end
260
-
261
- # Suppose you have a Group that should allow SSH and RDP from
262
- # the admin network, 10.5.0.0/16. The resource has 2 rules to
263
- # allow this, and you want to ensure no others have been added.
264
- describe aws_security_group(group_name: 'admin-group') do
265
- # Allow RDP from a defined range and nothing else
266
- # The SG must have this rule in position 1 and it must match this exactly
267
- it { should allow_in_only(port: 3389, ipv4_range: '10.5.0.0/16', position: 1) }
268
-
269
- # Specify position 2 for the SSH rule. Without `position`,
270
- # allow_in_only only allows one rule, total.
271
- it { should allow_in_only(port: 22, ipv4_range: '10.5.0.0/16', position: 2) }
272
-
273
- # Because this is an _only matcher, this fails - _only matchers
274
- # use exact IP matching.
275
- it { should allow_in_only(port: 3389, ipv4_range: '10.5.1.34/32', position: 1) }
276
- end
277
-
278
- ### exists
279
-
280
- The control passes if the specified Security Group was found. Use `should_not` if you want to verify that the specified SG does not exist.
281
-
282
- # You always have at least one SG, the VPC default SG
283
- describe aws_security_group(group_name: 'default')
284
- it { should exist }
285
- end
286
-
287
- # Make sure we don't have any Security Groups with the name 'nogood'
288
- describe aws_security_group(group_name: 'nogood')
289
- it { should_not exist }
290
- end
291
-
292
- ## AWS Permissions
293
-
294
- Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeSecurityGroups` action with Effect set to Allow.
295
-
296
- You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).
1
+ ---
2
+ title: About the aws_security_group Resource
3
+ ---
4
+
5
+ # aws\_security\_group
6
+
7
+ Use the `aws_security_group` InSpec audit resource to test detailed properties of an individual Security Group (SG).
8
+
9
+ SGs are a networking construct which contain ingress and egress rules for network communications. SGs may be attached to EC2 instances, as well as certain other AWS resources. Along with Network Access Control Lists, SGs are one of the two main mechanisms of enforcing network-level security.
10
+
11
+ ## Limitations
12
+
13
+ While this resource provides facilities for searching inbound and outbound rules on a variety of criteria, there is currently no support for performing matches based on:
14
+
15
+ * IPv6 ranges
16
+ * References to other Security Groups
17
+ * References to VPC peers or other AWS services (that is, no support for searches based on 'prefix lists').
18
+
19
+ <br>
20
+
21
+ ## Syntax
22
+
23
+ Resource parameters: group_id, group_name, id, vpc_id
24
+
25
+ An `aws_security_group` resource block uses resource parameters to search for and then test a Security Group. If no SGs match, no error is raised, but the `exists` matcher returns `false`, and all scalar properties are `nil`. List properties returned under these conditions are empty lists. If more than one SG matches (due to vague search parameters), an error is raised.
26
+
27
+ # Ensure you have a Security Group with a specific ID
28
+ # This is "safe" - SG IDs are unique within an account
29
+ describe aws_security_group('sg-12345678') do
30
+ it { should exist }
31
+ end
32
+
33
+ # Ensure you have a Security Group with a specific ID
34
+ # This uses hash syntax
35
+ describe aws_security_group(id: 'sg-12345678') do
36
+ it { should exist }
37
+ end
38
+
39
+ # Ensure you have a Security Group with a specific name. Names are
40
+ # unique within a VPC but not across VPCs.
41
+ # Using only Group returns an error if multiple SGs match.
42
+ describe aws_security_group(group_name: 'my-group') do
43
+ it { should exist }
44
+ end
45
+ # Add vpc_id to ensure uniqueness.
46
+ describe aws_security_group(group_name: 'my-group', vpc_id: 'vpc-12345678') do
47
+ it { should exist }
48
+ end
49
+
50
+ <br>
51
+
52
+ ## Examples
53
+
54
+ The following examples show how to use this InSpec audit resource.
55
+
56
+ # Ensure that the linux_servers Security Group permits
57
+ # SSH from the 10.5.0.0/16 range, but not the world.
58
+ describe aws_security_group(group_name: linux_servers) do
59
+ # This passes if any inbound rule exists that specifies
60
+ # port 22 and the given IP range, regardless of protocol, etc.
61
+ it { should allow_in(port: 22, ipv4_range: '10.5.0.0/16') }
62
+
63
+ # This passes so long as no inbound rule that specifies port 22 exists
64
+ # with a source IP range of 0.0.0.0/0. Other properties are ignored.
65
+ it { should_not allow_in(port: 22, ipv4_range: '0.0.0.0/0') }
66
+
67
+ end
68
+
69
+ # Ensure that the careful_updates Security Group may only initiate contact with specific IPs.
70
+ describe aws_security_group(group_name: 'careful_updates') do
71
+
72
+ # If you have two rules, with one CIDR each:
73
+ [ '10.7.23.12/32', '10.8.23.12/32' ].each do |allowed_destination|
74
+ # This doesn't care about which ports are enabled
75
+ it { should allow_out(ipv4_range: allowed_destination) }
76
+ end
77
+
78
+ # If you have one rule with two CIDRs:
79
+ it { should allow_out(ipv4_range: [ '10.7.23.12/32', '10.8.23.12/32' ] }
80
+
81
+ # Expect exactly three rules.
82
+ its('outbound_rules.count') { should cmp 3 }
83
+ end
84
+
85
+ <br>
86
+
87
+ ## Resource Parameters
88
+
89
+ This InSpec resource accepts the following parameters, which are used to search for the Security Group.
90
+
91
+ ### id, group\_id
92
+
93
+ The Security Group ID of the Security Group. This is of the format `sg-` followed by 8 hexadecimal characters. The ID is unique within your AWS account; using ID ensures a match of only one SG. The ID is also the default resource parameter, so you may omit the hash syntax.
94
+
95
+ # Using Hash syntax
96
+ describe aws_security_group(id: 'sg-12345678') do
97
+ it { should exist }
98
+ end
99
+
100
+ # group_id is an alias for id
101
+ describe aws_security_group(group_id: 'sg-12345678') do
102
+ it { should exist }
103
+ end
104
+
105
+ # Or omit hash syntax, rely on it being the default parameter
106
+ describe aws_security_group('sg-12345678') do
107
+ it { should exist }
108
+ end
109
+
110
+ ### group\_name
111
+
112
+ The string name of the Security Group. Every VPC has a Security Group named 'default'. Names are unique within a VPC, but not within an AWS account.
113
+
114
+ # Get default Security Group for a specific VPC
115
+ describe aws_security_group(group_name: 'default', vpc_id: vpc_id: 'vpc-12345678') do
116
+ it { should exist }
117
+ end
118
+
119
+ # This throws an error if more than one VPC has a 'backend' SG.
120
+ describe aws_security_group(group_name: 'backend') do
121
+ it { should exist }
122
+ end
123
+
124
+ ### vpc\_id
125
+
126
+ A string identifying the VPC that contains the Security Group. Since VPCs commonly contain many SGs, you should add additional parameters to ensure you find exactly one SG.
127
+
128
+ # This throws an error if more than the default SG exists
129
+ describe aws_security_group(vpc_id: 'vpc-12345678') do
130
+ it { should exist }
131
+ end
132
+
133
+ <br>
134
+ ## Properties
135
+
136
+ * [`description`](#description), [`group_id`](#group_id), [`group_name`](#group_name), [`inbound_rules`](#inbound_rules), [`outbound_rules`](#outbound_rules), [`vpc_id`](#vpc_id)
137
+
138
+ <br>
139
+
140
+ ## Property Examples
141
+
142
+ ### description
143
+
144
+ A String reflecting the human-meaningful description that was given to the SG at creation time.
145
+
146
+ # Require a description of a particular Security Group
147
+ describe aws_security_group('sg-12345678') do
148
+ its('description') { should_not be_empty }
149
+ end
150
+
151
+ ### group\_id
152
+
153
+ Provides the Security Group ID.
154
+
155
+ # Inspect the Security group ID of the default Group
156
+ describe aws_security_group(group_name: 'default', vpc_id: vpc_id: 'vpc-12345678') do
157
+ its('group_id') { should cmp 'sg-12345678' }
158
+ end
159
+
160
+ # Store the Group ID in a Ruby variable for use elsewhere
161
+ sg_id = aws_security_group(group_name: 'default', vpc_id: vpc_id: 'vpc-12345678').group_id
162
+
163
+ ### group\_name
164
+
165
+ A String reflecting the name that was given to the SG at creation time.
166
+
167
+ # Inspect the Group name of a particular Group
168
+ describe aws_security_group('sg-12345678') do
169
+ its('group_name') { should cmp 'my_group' }
170
+ end
171
+
172
+ ### inbound\_rules
173
+
174
+ A list of the rules that the Security Group applies to incoming network traffic. This is a low-level property that is used by the [`allow_in`](#allow_in) and [`allow_in_only`](#allow_in_only) matchers; see them for detailed examples. `inbound_rules` is provided here for those wishing to use Ruby code to inspect the rules directly, instead of using higher-level matchers.
175
+
176
+ Order is critical in these rules, as the sequentially first rule to match is applied to network traffic. By default, AWS includes a reject-all rule as the last inbound rule. This implicit rule does not appear in the inbound_rules list.
177
+
178
+ If the Security Group could not be found (that is, `exists` is false), `inbound_rules` returns an empty list.
179
+
180
+ describe aws_security_group(group_name: linux_servers) do
181
+ its('inbound_rules.first') { should include(from_port: '22', ip_ranges: ['10.2.17.0/24']) }
182
+ end
183
+
184
+ ### outbound\_rules
185
+
186
+ A list of the rules that the Security Group applies to outgoing network traffic initiated by the AWS resource in the Security Group. This is a low-level property that is used by the [`allow_out`](#allow_out) matcher; see it for detailed examples. `outbound_rules` is provided here for those wishing to use Ruby code to inspect the rules directly, instead of using higher-level matchers.
187
+
188
+ Order is critical in these rules, as the sequentially first rule to match is applied to network traffic. Outbound rules are typically used when it is desirable to restrict which portions of the internet, if any, a resource may access. By default, AWS includes an allow-all rule as the last outbound rule; note that Terraform removes this implicit rule.
189
+
190
+ If the Security Group could not be found (that is, `exists` is false), `outbound_rules` returns an empty list.
191
+
192
+ describe aws_security_group(group_name: isolated_servers) do
193
+ its('outbound_rules.last') { should_not include(ip_ranges:['0.0.0.0/0']) }
194
+ end
195
+
196
+ ### vpc\_id
197
+
198
+ A String in the format 'vpc-' followed by 8 hexadecimal characters reflecting VPC that contains the Security Group.
199
+
200
+ # Inspec the VPC ID of a particular Group
201
+ describe aws_security_group('sg-12345678') do
202
+ its('vpc_id') { should cmp 'vpc-12345678' }
203
+ end
204
+
205
+ <br>
206
+
207
+ ## Matchers
208
+
209
+ This InSpec audit resource has the following special matchers. For a full list of additional available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
210
+
211
+ * [`allow_in`](#allow_in), [`allow_in_only`](#allow_in_only), [`allow_out`](#allow_out), [`allow_out_only`](#allow_out_only)
212
+
213
+ ### allow\_in
214
+
215
+ ### allow\_out
216
+
217
+ ### allow\_in\_only
218
+
219
+ ### allow\_out\_only
220
+
221
+ The `allow` series of matchers enable you to perform queries about what network traffic would be permitted through the Security Group rule set.
222
+
223
+ `allow_in` and `allow_in_exactly` examine inbound rules, and `allow_out` and `allow_out_exactly` examine outbound rules.
224
+
225
+ `allow_in` and `allow_out` examine if at least one rule that matches the criteria exists. `allow_in` and `allow_out` also perform inexact (ie, range-based or subset-based) matching on ports and IP addresses ranges, allowing you to specify a candidate port or IP address and determine if it is covered by a rule.
226
+
227
+ `allow_in_only` and `allow_out_only` examines if exactly one rule exists (but see `position`, below), and if it matches the criteria (this is useful for ensuring no unexpected rules have been added). Additionally, `allow_in_only` and `allow_out_only` do _not_ perform inexact matching; you must specify exactly the port range or IP address(es) you wish to match.
228
+
229
+ The matchers accept a key-value list of search criteria. For a rule to match, it must match all provided criteria.
230
+
231
+ * from_port - Determines if a rule exists whose port range begins at the specified number. The word 'from_' does *not* relate to inbound/outbound directionality; it relates to the port range ("counting _from_"). `from_port` is an exact criterion; so if the rule allows 1000-2000 and you specify a `from_port` of 1001, it does not match.
232
+ * ipv4_range - Specifies an IPv4 address or subnet as a CIDR, or a list of them, to be checked as a permissible origin (for `allow_in`) or destination (for `allow_out`) for traffic. Each AWS Security Group rule may have multiple allowed source IP ranges.
233
+ * port - Determines if a particular TCP/IP port is reachable. allow_in and allow_out examine whether the specified port is included in the port range of a rule, while allow_in. You may specify the port as a string (`'22'`) or as a number.
234
+ * position - A one-based index into the list of rules. If provided, this restricts the evaluation to the rule at that position. You may also use the special values `:first` and `:last`. `position` may also be used to enable `allow_in_only` and `allow_out_only` to work with multi-rule Security Groups.
235
+ * protocol - Specifies the IP protocol. 'tcp', 'udp', and 'icmp' are some typical values. The string "-1" or 'any' is used to indicate any protocol.
236
+ * to_port - Determines if a rule exists whose port range ends at the specified number. The word 'to_' does *not* relate to inbound/outbound directionality; it relates to the port range ("counting _to_"). `to_port` is an exact criterion; so if the rule allows 1000-2000 and you specify a `to_port` of 1999, it does not match.
237
+
238
+ describe aws_security_group(group_name: 'mixed-functionality-group') do
239
+ # Allow RDP from defined range
240
+ it { should allow_in(port: 3389, ipv4_range: '10.5.0.0/16') }
241
+
242
+ # Allow SSH from two ranges
243
+ it { should allow_in(port: 22, ipv4_range: ['10.5.0.0/16', '10.2.3.0/24']) }
244
+
245
+ # Check Bacula port range
246
+ it { should allow_in(from_port: 9101, to_port: 9103, ipv4_range: '10.6.7.0/24') }
247
+
248
+ # Assuming the AWS SG allows 9001-9003, use inexact matching to check 9002
249
+ it { should allow_in(port: 9002) }
250
+
251
+ # Assuming the AWS SG allows 10.2.1.0/24, use inexact matching to check 10.2.1.33/32
252
+ it { should allow_in(ipv4_range: '10.2.1.33/32') }
253
+
254
+ # Ensure the 3rd outbound rule is TCP-based
255
+ it { should allow_in(protocol: 'tcp', position: 3') }
256
+
257
+ # Do not allow unrestricted IPv4 access.
258
+ it { should_not allow_in(ipv4_range: '0.0.0.0/0') }
259
+ end
260
+
261
+ # Suppose you have a Group that should allow SSH and RDP from
262
+ # the admin network, 10.5.0.0/16. The resource has 2 rules to
263
+ # allow this, and you want to ensure no others have been added.
264
+ describe aws_security_group(group_name: 'admin-group') do
265
+ # Allow RDP from a defined range and nothing else
266
+ # The SG must have this rule in position 1 and it must match this exactly
267
+ it { should allow_in_only(port: 3389, ipv4_range: '10.5.0.0/16', position: 1) }
268
+
269
+ # Specify position 2 for the SSH rule. Without `position`,
270
+ # allow_in_only only allows one rule, total.
271
+ it { should allow_in_only(port: 22, ipv4_range: '10.5.0.0/16', position: 2) }
272
+
273
+ # Because this is an _only matcher, this fails - _only matchers
274
+ # use exact IP matching.
275
+ it { should allow_in_only(port: 3389, ipv4_range: '10.5.1.34/32', position: 1) }
276
+ end
277
+
278
+ ### exists
279
+
280
+ The control passes if the specified Security Group was found. Use `should_not` if you want to verify that the specified SG does not exist.
281
+
282
+ # You always have at least one SG, the VPC default SG
283
+ describe aws_security_group(group_name: 'default')
284
+ it { should exist }
285
+ end
286
+
287
+ # Make sure we don't have any Security Groups with the name 'nogood'
288
+ describe aws_security_group(group_name: 'nogood')
289
+ it { should_not exist }
290
+ end
291
+
292
+ ## AWS Permissions
293
+
294
+ Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeSecurityGroups` action with Effect set to Allow.
295
+
296
+ You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).