inspec 4.22.1

data/lib/resources/aws/aws_config_recorder.rb

@@ -0,0 +1,99 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-configservice"
+
+class AwsConfigurationRecorder < Inspec.resource(1)
+  name "aws_config_recorder"
+  desc "Verifies settings for AWS Configuration Recorder"
+  example <<~EXAMPLE
+    describe aws_config_recorder('My_Recorder') do
+      it { should exist }
+      it { should be_recording }
+      it { should be_all_supported }
+      it { should have_include_global_resource_types }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :role_arn, :resource_types, :recorder_name
+
+  def to_s
+    "Configuration_Recorder: #{@recorder_name}"
+  end
+
+  def recording_all_resource_types?
+    @recording_all_resource_types
+  end
+
+  def recording_all_global_types?
+    @recording_all_global_types
+  end
+
+  def status
+    return {} unless @exists
+
+    backend = BackendFactory.create(inspec_runner)
+    catch_aws_errors do
+      response = backend.describe_configuration_recorder_status(configuration_recorder_names: [@recorder_name])
+      @status = response.configuration_recorders_status.first.to_h
+    end
+  end
+
+  def recording?
+    return unless @exists
+
+    status[:recording]
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:recorder_name],
+      allowed_scalar_name: :recorder_name,
+      allowed_scalar_type: String
+    )
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    query = @recorder_name ? { configuration_recorder_names: [@recorder_name] } : {}
+    response = backend.describe_configuration_recorders(query)
+
+    @exists = !response.configuration_recorders.empty?
+    return unless exists?
+
+    if response.configuration_recorders.count > 1
+      raise ArgumentError, "Internal error: unexpectedly received multiple AWS Config Recorder objects from API; expected to be singleton per-region.  Please file a bug report at https://github.com/chef/inspec/issues ."
+    end
+
+    recorder = response.configuration_recorders.first.to_h
+    @recorder_name = recorder[:name]
+    @role_arn = recorder[:role_arn]
+    @recording_all_resource_types = recorder[:recording_group][:all_supported]
+    @recording_all_global_types = recorder[:recording_group][:include_global_resource_types]
+    @resource_types = recorder[:recording_group][:resource_types]
+  rescue Aws::ConfigService::Errors::NoSuchConfigurationRecorderException
+    @exists = false
+    nil
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::ConfigService::Client
+
+      def describe_configuration_recorders(query)
+        aws_service_client.describe_configuration_recorders(query)
+      end
+
+      def describe_configuration_recorder_status(query)
+        aws_service_client.describe_configuration_recorder_status(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_ebs_volume.rb

@@ -0,0 +1,127 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsEbsVolume < Inspec.resource(1)
+  name "aws_ebs_volume"
+  desc "Verifies settings for an EBS volume"
+
+  example <<~EXAMPLE
+    describe aws_ebs_volume('vol-123456') do
+      it { should be_encrypted }
+      its('size') { should cmp 8 }
+    end
+
+    describe aws_ebs_volume(name: 'my-volume') do
+      its('encrypted') { should eq true }
+      its('iops') { should cmp 100 }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
+  def initialize(opts, conn = nil)
+    @opts = opts
+    @display_name = opts.is_a?(Hash) ? @opts[:name] : opts
+    @ec2_client = conn ? conn.ec2_client : inspec_runner.backend.aws_client(Aws::EC2::Client)
+    @ec2_resource = conn ? conn.ec2_resource : inspec_runner.backend.aws_resource(Aws::EC2::Resource, {})
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_resource_mixin.rb
+  def catch_aws_errors
+    yield
+  rescue Aws::Errors::MissingCredentialsError
+    # The AWS error here is unhelpful:
+    # "unable to sign request without credentials set"
+    Inspec::Log.error "It appears that you have not set your AWS credentials. You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target. See https://www.inspec.io/docs/reference/platforms for details."
+    fail_resource("No AWS credentials available")
+  rescue Aws::Errors::ServiceError => e
+    fail_resource(e.message)
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
+  def inspec_runner
+    # When running under inspec-cli, we have an 'inspec' method that
+    # returns the runner. When running under unit tests, we don't
+    # have that, but we still have to call this to pass something
+    # (nil is OK) to the backend.
+    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
+    # TODO: remove after rewrite to include AwsSingularResource
+    inspec if respond_to?(:inspec)
+  end
+
+  def id
+    return @volume_id if defined?(@volume_id)
+
+    catch_aws_errors do
+      if @opts.is_a?(Hash)
+        first = @ec2_resource.volumes(
+          {
+            filters: [{
+              name: "tag:Name",
+              values: [@opts[:name]],
+            }],
+          }
+        ).first
+        # catch case where the volume is not known
+        @volume_id = first.id unless first.nil?
+      else
+        @volume_id = @opts
+      end
+    end
+  end
+  alias volume_id id
+
+  def exists?
+    !volume.nil?
+  end
+
+  def encrypted?
+    volume.encrypted
+  end
+
+  # attributes that we want to expose
+  %w{
+    availability_zone encrypted iops kms_key_id size snapshot_id state volume_type
+  }.each do |attribute|
+    define_method attribute do
+      catch_aws_errors do
+        volume.send(attribute) if volume
+      end
+    end
+  end
+
+  # Don't document this - it's a bit hard to use.  Our current doctrine
+  # is to use dumb things, like arrays of strings - use security_group_ids instead.
+  def security_groups
+    catch_aws_errors do
+      @security_groups ||= volume.security_groups.map do |sg|
+        { id: sg.group_id, name: sg.group_name }
+      end
+    end
+  end
+
+  def security_group_ids
+    catch_aws_errors do
+      @security_group_ids ||= volume.security_groups.map(&:group_id)
+    end
+  end
+
+  def tags
+    catch_aws_errors do
+      @tags ||= volume.tags.map { |tag| { key: tag.key, value: tag.value } }
+    end
+  end
+
+  def to_s
+    "EBS Volume #{@display_name}"
+  end
+
+  private
+
+  def volume
+    catch_aws_errors { @volume ||= @ec2_resource.volume(id) }
+  end
+end

data/lib/resources/aws/aws_ebs_volumes.rb

@@ -0,0 +1,69 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsEbsVolumes < Inspec.resource(1)
+  name "aws_ebs_volumes"
+  desc "Verifies settings for AWS EBS Volumes in bulk"
+  example <<~EXAMPLE
+    describe aws_ebs_volumes do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_ebs_volumes does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:volume_ids, field: :volume_id)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "EBS Volumes"
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = []
+    pagination_opts = {}
+    loop do
+      api_result = backend.describe_volumes(pagination_opts)
+      @table += unpack_describe_volumes_response(api_result.volumes)
+      break unless api_result.next_token
+
+      pagination_opts = { next_token: api_result.next_token }
+    end
+  end
+
+  def unpack_describe_volumes_response(volumes)
+    volume_rows = []
+    volumes.each do |res|
+      volume_rows += res.attachments.map do |volume_struct|
+        {
+          volume_id: volume_struct.volume_id,
+        }
+      end
+    end
+    volume_rows
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_volumes(query)
+        aws_service_client.describe_volumes(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_ec2_instance.rb

@@ -0,0 +1,162 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsEc2Instance < Inspec.resource(1)
+  name "aws_ec2_instance"
+  desc "Verifies settings for an EC2 instance"
+
+  example <<~EXAMPLE
+    describe aws_ec2_instance('i-123456') do
+      it { should be_running }
+      it { should have_roles }
+    end
+
+    describe aws_ec2_instance(name: 'my-instance') do
+      it { should be_running }
+      it { should have_roles }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
+  def initialize(opts, conn = nil)
+    @opts = opts
+    @opts.is_a?(Hash) ? @display_name = @opts[:name] : @display_name = opts
+    @ec2_client = conn ? conn.ec2_client : inspec_runner.backend.aws_client(Aws::EC2::Client)
+    @ec2_resource = conn ? conn.ec2_resource : inspec_runner.backend.aws_resource(Aws::EC2::Resource, {})
+    @iam_resource = conn ? conn.iam_resource : inspec_runner.backend.aws_resource(Aws::IAM::Resource, {})
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_resource_mixin.rb
+  def catch_aws_errors
+    yield
+  rescue Aws::Errors::MissingCredentialsError
+    # The AWS error here is unhelpful:
+    # "unable to sign request without credentials set"
+    Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
+    fail_resource("No AWS credentials available")
+  rescue Aws::Errors::ServiceError => e
+    fail_resource e.message
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
+  def inspec_runner
+    # When running under inspec-cli, we have an 'inspec' method that
+    # returns the runner. When running under unit tests, we don't
+    # have that, but we still have to call this to pass something
+    # (nil is OK) to the backend.
+    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
+    # TODO: remove after rewrite to include AwsSingularResource
+    inspec if respond_to?(:inspec)
+  end
+
+  def id
+    return @instance_id if defined?(@instance_id)
+
+    catch_aws_errors do
+      if @opts.is_a?(Hash)
+        first = @ec2_resource.instances(
+          {
+            filters: [{
+              name: "tag:Name",
+              values: [@opts[:name]],
+            }],
+          }
+        ).first
+        # catch case where the instance is not known
+        @instance_id = first.id unless first.nil?
+      else
+        @instance_id = @opts
+      end
+    end
+  end
+  alias instance_id id
+
+  def exists?
+    return false if instance.nil?
+
+    instance.exists?
+  end
+
+  # returns the instance state
+  def state
+    catch_aws_errors do
+      instance&.state&.name
+    end
+  end
+
+  # helper methods for each state
+  %w{
+    pending running shutting-down
+    terminated stopping stopped unknown
+  }.each do |state_name|
+    define_method state_name.tr("-", "_") + "?" do
+      state == state_name
+    end
+  end
+
+  # attributes that we want to expose
+  %w{
+    public_ip_address private_ip_address key_name private_dns_name
+    public_dns_name subnet_id architecture root_device_type
+    root_device_name virtualization_type client_token launch_time
+    instance_type image_id vpc_id
+  }.each do |attribute|
+    define_method attribute do
+      catch_aws_errors do
+        instance.send(attribute) if instance
+      end
+    end
+  end
+
+  # Don't document this - it's a bit hard to use.  Our current doctrine
+  # is to use dumb things, like arrays of strings - use security_group_ids instead.
+  def security_groups
+    catch_aws_errors do
+      @security_groups ||= instance.security_groups.map do |sg|
+        { id: sg.group_id, name: sg.group_name }
+      end
+    end
+  end
+
+  def security_group_ids
+    catch_aws_errors do
+      @security_group_ids ||= instance.security_groups.map(&:group_id)
+    end
+  end
+
+  def tags
+    catch_aws_errors do
+      @tags ||= instance.tags.map { |tag| { key: tag.key, value: tag.value } }
+    end
+  end
+
+  def to_s
+    "EC2 Instance #{@display_name}"
+  end
+
+  def has_roles?
+    catch_aws_errors do
+      instance_profile = instance.iam_instance_profile
+
+      if instance_profile
+        roles = @iam_resource.instance_profile(
+          instance_profile.arn.gsub(%r{^.*\/}, "")
+        ).roles
+      else
+        roles = nil
+      end
+
+      roles && !roles.empty?
+    end
+  end
+
+  private
+
+  def instance
+    catch_aws_errors { @instance ||= @ec2_resource.instance(id) }
+  end
+end