inspec 4.22.1

data/lib/resources/aws/aws_billing_reports.rb

@@ -0,0 +1,74 @@
+require "inspec/utils/filter"
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-costandusagereportservice"
+
+class AwsBillingReports < Inspec.resource(1)
+  name "aws_billing_reports"
+  supports platform: "aws"
+  desc "Verifies settings for AWS Cost and Billing Reports."
+  example <<~EXAMPLE
+    describe aws_billing_reports do
+      its('report_names') { should include 'inspec1' }
+      its('s3_buckets') { should include 'inspec1-s3-bucket' }
+    end
+
+    describe aws_billing_reports.where { report_name =~ /inspec.*/ } do
+      its ('report_names') { should include ['inspec1'] }
+      its ('time_units') { should include ['DAILY'] }
+      its ('s3_buckets') { should include ['inspec1-s3-bucket'] }
+    end
+  EXAMPLE
+
+  include AwsPluralResourceMixin
+
+  filtertable = FilterTable.create
+  filtertable.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    .register_column(:report_names, field: :report_name)
+    .register_column(:time_units, field: :time_unit, style: :simple)
+    .register_column(:formats, field: :format, style: :simple)
+    .register_column(:compressions, field: :compression, style: :simple)
+    .register_column(:s3_buckets, field: :s3_bucket, style: :simple)
+    .register_column(:s3_prefixes, field: :s3_prefix, style: :simple)
+    .register_column(:s3_regions, field: :s3_region, style: :simple)
+  filtertable.install_filter_methods_on_resource(self, :table)
+
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_billing_reports does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  def to_s
+    "AWS Billing Reports"
+  end
+
+  def fetch_from_api
+    @table = []
+    pagination_opts = {}
+    backend = BackendFactory.create(inspec_runner)
+    loop do
+      api_result = backend.describe_report_definitions(pagination_opts)
+      api_result.report_definitions.each do |raw_report|
+        report = raw_report.to_h
+        %i{time_unit compression}.each { |field| report[field].downcase! }
+        @table << report
+      end
+      pagination_opts = { next_token: api_result.next_token }
+      break unless api_result.next_token
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsBillingReports::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CostandUsageReportService::Client
+
+      def describe_report_definitions(options = {})
+        aws_service_client.describe_report_definitions(options)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_cloudtrail_trail.rb

@@ -0,0 +1,97 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-cloudtrail"
+
+class AwsCloudTrailTrail < Inspec.resource(1)
+  name "aws_cloudtrail_trail"
+  desc "Verifies settings for an individual AWS CloudTrail Trail"
+  example <<~EXAMPLE
+    describe aws_cloudtrail_trail('trail-name') do
+      it { should exist }
+    end
+  EXAMPLE
+
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :cloud_watch_logs_log_group_arn, :cloud_watch_logs_role_arn, :home_region,
+              :kms_key_id, :s3_bucket_name, :trail_arn
+
+  def to_s
+    "CloudTrail #{@trail_name}"
+  end
+
+  def multi_region_trail?
+    @is_multi_region_trail
+  end
+
+  def log_file_validation_enabled?
+    @log_file_validation_enabled
+  end
+
+  def encrypted?
+    !kms_key_id.nil?
+  end
+
+  def delivered_logs_days_ago
+    query = { name: @trail_name }
+    catch_aws_errors do
+      begin
+        resp = BackendFactory.create(inspec_runner).get_trail_status(query).to_h
+        ((Time.now - resp[:latest_cloud_watch_logs_delivery_time]) / (24 * 60 * 60)).to_i unless resp[:latest_cloud_watch_logs_delivery_time].nil?
+      rescue Aws::CloudTrail::Errors::TrailNotFoundException
+        nil
+      end
+    end
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:trail_name],
+      allowed_scalar_name: :trail_name,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide the parameter 'trail_name' to aws_cloudtrail_trail."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    query = { trail_name_list: [@trail_name] }
+    resp = backend.describe_trails(query)
+
+    @trail = resp.trail_list[0].to_h
+    @exists = !@trail.empty?
+    @s3_bucket_name = @trail[:s3_bucket_name]
+    @is_multi_region_trail = @trail[:is_multi_region_trail]
+    @trail_arn = @trail[:trail_arn]
+    @log_file_validation_enabled = @trail[:log_file_validation_enabled]
+    @cloud_watch_logs_role_arn = @trail[:cloud_watch_logs_role_arn]
+    @cloud_watch_logs_log_group_arn = @trail[:cloud_watch_logs_log_group_arn]
+    @kms_key_id = @trail[:kms_key_id]
+    @home_region = @trail[:home_region]
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsCloudTrailTrail::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CloudTrail::Client
+
+      def describe_trails(query)
+        aws_service_client.describe_trails(query)
+      end
+
+      def get_trail_status(query)
+        aws_service_client.get_trail_status(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_cloudtrail_trails.rb

@@ -0,0 +1,51 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-cloudtrail"
+
+class AwsCloudTrailTrails < Inspec.resource(1)
+  name "aws_cloudtrail_trails"
+  desc "Verifies settings for AWS CloudTrail Trails in bulk"
+  example <<~EXAMPLE
+    describe aws_cloudtrail_trails do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_cloudtrail_trails does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:trail_arns, field: :trail_arn)
+  filter.register_column(:names, field: :name)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "CloudTrail Trails"
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = backend.describe_trails({}).to_h[:trail_list]
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsCloudTrailTrails::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CloudTrail::Client
+
+      def describe_trails(query)
+        aws_service_client.describe_trails(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_cloudwatch_alarm.rb

@@ -0,0 +1,67 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-cloudwatch"
+
+class AwsCloudwatchAlarm < Inspec.resource(1)
+  name "aws_cloudwatch_alarm"
+  desc <<~EXAMPLE
+    # Look for a specific alarm
+    aws_cloudwatch_alarm(
+      metric_name: 'my-metric-name',
+      metric_namespace: 'my-metric-namespace',
+    ) do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :alarm_actions, :alarm_name, :metric_name, :metric_namespace
+
+  private
+
+  def validate_params(raw_params)
+    recognized_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: %i{metric_name metric_namespace}
+    )
+    validated_params = {}
+    # Currently you must specify exactly metric_name and metric_namespace
+    %i{metric_name metric_namespace}.each do |param|
+      raise ArgumentError, "Missing resource param #{param}" unless recognized_params.key?(param)
+
+      validated_params[param] = recognized_params.delete(param)
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    aws_alarms = BackendFactory.create(inspec_runner).describe_alarms_for_metric(
+      metric_name: @metric_name,
+      namespace: @metric_namespace
+    )
+    if aws_alarms.metric_alarms.empty?
+      @exists = false
+    elsif aws_alarms.metric_alarms.count > 1
+      alarms = aws_alarms.metric_alarms.map(&:alarm_name)
+      raise "More than one Cloudwatch Alarm was matched. Try using " \
+        "more specific resource parameters. Alarms matched: #{alarms.join(", ")}"
+    else
+      @alarm_actions = aws_alarms.metric_alarms.first.alarm_actions
+      @alarm_name = aws_alarms.metric_alarms.first.alarm_name
+      @exists = true
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsCloudwatchAlarm::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CloudWatch::Client
+
+      def describe_alarms_for_metric(query)
+        aws_service_client.describe_alarms_for_metric(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb

@@ -0,0 +1,105 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-cloudwatchlogs"
+
+class AwsCloudwatchLogMetricFilter < Inspec.resource(1)
+  name "aws_cloudwatch_log_metric_filter"
+  desc "Verifies individual Cloudwatch Log Metric Filters"
+  example <<~EXAMPLE
+    # Look for a LMF by its filter name and log group name.  This combination
+    # will always either find at most one LMF - no duplicates.
+    describe aws_cloudwatch_log_metric_filter(
+      filter_name: 'my-filter',
+      log_group_name: 'my-log-group'
+    ) do
+      it { should exist }
+    end
+
+    # Search for an LMF by pattern and log group.
+    # This could result in an error if the results are not unique.
+    describe aws_cloudwatch_log_metric_filter(
+      log_group_name:  'my-log-group',
+      pattern: 'my-filter'
+    ) do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+  include AwsSingularResourceMixin
+  attr_reader :filter_name, :log_group_name, :metric_name, :metric_namespace, :pattern
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: %i{filter_name log_group_name pattern}
+    )
+    if validated_params.empty?
+      raise ArgumentError, "You must provide either filter_name, log_group, or pattern to aws_cloudwatch_log_metric_filter."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    # get a backend
+    backend = BackendFactory.create(inspec_runner)
+
+    # Perform query with remote filtering
+    aws_search_criteria = {}
+    aws_search_criteria[:filter_name] = filter_name if filter_name
+    aws_search_criteria[:log_group_name] = log_group_name if log_group_name
+    begin
+      aws_results = backend.describe_metric_filters(aws_search_criteria)
+    rescue Aws::CloudWatchLogs::Errors::ResourceNotFoundException
+      @exists = false
+      return
+    end
+
+    # Then perform local filtering
+    if pattern
+      aws_results.select! { |lmf| lmf.filter_pattern == pattern }
+    end
+
+    # Check result count.  We're a singular resource and can tolerate
+    # 0 or 1 results, not multiple.
+    if aws_results.count > 1
+      raise "More than one result was returned, but aws_cloudwatch_log_metric_filter "\
+            "can only handle a single AWS resource.  Consider passing more resource "\
+            "parameters to narrow down the search."
+    elsif aws_results.empty?
+      @exists = false
+    else
+      @exists = true
+      # Unpack the funny-shaped object we got back from AWS into our instance vars
+      lmf = aws_results.first
+      @filter_name = lmf.filter_name
+      @log_group_name = lmf.log_group_name
+      @pattern = lmf.filter_pattern # Note inconsistent name
+      # AWS SDK returns an array of metric transformations
+      # but only allows one (mandatory) entry, let's flatten that
+      @metric_name = lmf.metric_transformations.first.metric_name
+      @metric_namespace = lmf.metric_transformations.first.metric_namespace
+    end
+  end
+
+  class Backend
+    # Uses the cloudwatch API to really talk to AWS
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::CloudWatchLogs::Client
+
+      def describe_metric_filters(criteria)
+        query = {}
+        query[:filter_name_prefix] = criteria[:filter_name] if criteria[:filter_name]
+        query[:log_group_name] = criteria[:log_group_name] if criteria[:log_group_name]
+        # 'pattern' is not available as a remote filter,
+        # we filter it after the fact locally
+        # TODO: handle pagination?  Max 50/page.  Maybe you want a plural resource?
+        aws_response = aws_service_client.describe_metric_filters(query)
+        aws_response.metric_filters
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_config_delivery_channel.rb

@@ -0,0 +1,74 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-configservice"
+
+class AwsConfigDeliveryChannel < Inspec.resource(1)
+  name "aws_config_delivery_channel"
+  desc "Verifies settings for AWS Config Delivery Channel"
+  example <<~EXAMPLE
+    describe aws_config_delivery_channel do
+      it { should exist }
+      its('s3_bucket_name') { should eq 'my_bucket' }
+      its('sns_topic_arn') { should eq arn:aws:sns:us-east-1:721741954427:sns_topic' }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :channel_name, :s3_bucket_name, :s3_key_prefix, :sns_topic_arn,
+              :delivery_frequency_in_hours
+
+  def to_s
+    "Config_Delivery_Channel: #{@channel_name}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:channel_name],
+      allowed_scalar_name: :channel_name,
+      allowed_scalar_type: String
+    )
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    query = @channel_name ? { delivery_channel_names: [@channel_name] } : {}
+    response = backend.describe_delivery_channels(query)
+
+    @exists = !response.delivery_channels.empty?
+    return unless exists?
+
+    channel = response.delivery_channels.first.to_h
+    @channel_name = channel[:name]
+    @s3_bucket_name = channel[:s3_bucket_name]
+    @s3_key_prefix = channel[:s3_key_prefix]
+    @sns_topic_arn = channel[:sns_topic_arn]
+    @delivery_frequency_in_hours = channel.dig(:config_snapshot_delivery_properties, :delivery_frequency)
+    frequencies = {
+      "One_Hour" => 1,
+      "TwentyFour_Hours" => 24,
+      "Three_Hours" => 3,
+      "Six_Hours" => 6,
+      "Twelve_Hours" => 12,
+    }
+    @delivery_frequency_in_hours = frequencies[@delivery_frequency_in_hours]
+  rescue Aws::ConfigService::Errors::NoSuchDeliveryChannelException
+    @exists = false
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::ConfigService::Client
+
+      def describe_delivery_channels(query = {})
+        aws_service_client.describe_delivery_channels(query)
+      end
+    end
+  end
+end