inspec 4.22.1

data/lib/resources/aws/aws_ec2_instances.rb

@@ -0,0 +1,69 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsEc2Instances < Inspec.resource(1)
+  name "aws_ec2_instances"
+  desc "Verifies settings for AWS EC2 Instances in bulk"
+  example <<~EXAMPLE
+    describe aws_ec2_instances do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_ec2_instances does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:instance_ids, field: :instance_id)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "EC2 Instances"
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = []
+    pagination_opts = {}
+    loop do
+      api_result = backend.describe_instances(pagination_opts)
+      @table += unpack_describe_instances_response(api_result.reservations)
+      break unless api_result.next_token
+
+      pagination_opts = { next_token: api_result.next_token }
+    end
+  end
+
+  def unpack_describe_instances_response(reservations)
+    instance_rows = []
+    reservations.each do |res|
+      instance_rows += res.instances.map do |instance_struct|
+        {
+          instance_id: instance_struct.instance_id,
+        }
+      end
+    end
+    instance_rows
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_instances(query)
+        aws_service_client.describe_instances(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_ecs_cluster.rb

@@ -0,0 +1,88 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ecs"
+
+class AwsEcsCluster < Inspec.resource(1)
+  name "aws_ecs_cluster"
+  desc "Verifies settings for an ECS cluster"
+
+  example <<~EXAMPLE
+    describe aws_ecs_cluster('default') do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :cluster_arn, :cluster_name, :status,
+              :registered_container_instances_count, :running_tasks_count,
+              :pending_tasks_count, :active_services_count, :statistics
+
+  def to_s
+    "AWS ECS cluster #{cluster_name}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:cluster_name],
+      allowed_scalar_name: :cluster_name,
+      allowed_scalar_type: String
+    )
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    begin
+      # Use default cluster if no cluster name is specified
+      params = cluster_name.nil? ? {} : { clusters: [cluster_name] }
+      clusters = backend.describe_clusters(params).clusters
+
+      # Cluster name is unique, we either get back one cluster, or none
+      if clusters.length == 1
+        @exists = true
+        unpack_describe_clusters_response(clusters.first)
+      else
+        @exists = false
+        populate_as_missing
+      end
+    end
+  end
+
+  def unpack_describe_clusters_response(cluster_struct)
+    @cluster_arn = cluster_struct.cluster_arn
+    @cluster_name = cluster_struct.cluster_name
+    @status = cluster_struct.status
+    @registered_container_instances_count = cluster_struct.registered_container_instances_count
+    @running_tasks_count = cluster_struct.running_tasks_count
+    @pending_tasks_count = cluster_struct.pending_tasks_count
+    @active_services_count = cluster_struct.active_services_count
+    @statistics = cluster_struct.statistics
+  end
+
+  def populate_as_missing
+    @cluster_arn = ""
+    @cluster_name = ""
+    @status = ""
+    @registered_container_instances_count = 0
+    @running_tasks_count = 0
+    @pending_tasks_count = 0
+    @active_services_count = 0
+    @statistics = []
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::ECS::Client
+
+      def describe_clusters(query = {})
+        aws_service_client.describe_clusters(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_eks_cluster.rb

@@ -0,0 +1,105 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-eks"
+
+class AwsEksCluster < Inspec.resource(1)
+  name "aws_eks_cluster"
+  desc "Verifies settings for an EKS cluster"
+
+  example <<~EXAMPLE
+    describe aws_eks_cluster('default') do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :version, :arn, :cluster_name, :certificate_authority, :name,
+              :status, :endpoint, :subnets_count, :subnet_ids, :security_group_ids,
+              :created_at, :role_arn, :vpc_id, :security_groups_count, :creating,
+              :active, :failed, :deleting
+  # Use aliases for matchers
+  alias active? active
+  alias failed? failed
+  alias creating? creating
+  alias deleting? deleting
+
+  def to_s
+    "AWS EKS cluster #{cluster_name}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:cluster_name],
+      allowed_scalar_name: :cluster_name,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide a cluster_name to aws_eks_cluster."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api # rubocop:disable Metrics/AbcSize
+    backend = BackendFactory.create(inspec_runner)
+    begin
+      params = { name: cluster_name }
+      resp = backend.describe_cluster(params)
+    rescue Aws::EKS::Errors::ResourceNotFoundException
+      @exists = false
+      populate_as_missing
+      return
+    end
+    @exists = true
+    cluster = resp.to_h[:cluster]
+    @version = cluster[:version]
+    @name = cluster[:name]
+    @arn = cluster[:arn]
+    @certificate_authority = cluster[:certificate_authority][:data]
+    @created_at = cluster[:created_at]
+    @endpoint = cluster[:endpoint]
+    @security_group_ids = cluster[:resources_vpc_config][:security_group_ids]
+    @subnet_ids = cluster[:resources_vpc_config][:subnet_ids]
+    @subnets_count = cluster[:resources_vpc_config][:subnet_ids].length
+    @security_groups_count = cluster[:resources_vpc_config][:security_group_ids].length
+    @vpc_id = cluster[:resources_vpc_config][:vpc_id]
+    @role_arn = cluster[:role_arn]
+    @status = cluster[:status]
+    @active = cluster[:status] == "ACTIVE"
+    @failed = cluster[:status] == "FAILED"
+    @creating = cluster[:status] == "CREATING"
+    @deleting = cluster[:status] == "DELETING"
+  end
+
+  def populate_as_missing
+    @version = nil
+    @name = cluster_name # name is an alias for cluster_name, and it is retained on a miss
+    @arn = nil
+    @certificate_authority = nil
+    @created_at = nil
+    @endpoint = nil
+    @security_group_ids = []
+    @subnet_ids = []
+    @subnets_count = nil
+    @security_groups_count = nil
+    @vpc_id = nil
+    @role_arn = nil
+    @status = nil
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EKS::Client
+
+      def describe_cluster(query = {})
+        aws_service_client.describe_cluster(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_elb.rb

@@ -0,0 +1,85 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-elasticloadbalancing"
+
+class AwsElb < Inspec.resource(1)
+  name "aws_elb"
+  desc "Verifies settings for AWS Elastic Load Balancer"
+  example <<~EXAMPLE
+    describe aws_elb('myelb') do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :availability_zones, :dns_name, :elb_name, :external_ports,
+              :instance_ids, :internal_ports, :security_group_ids,
+              :subnet_ids, :vpc_id
+
+  def to_s
+    "AWS ELB #{elb_name}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:elb_name],
+      allowed_scalar_name: :elb_name,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide a elb_name to aws_elb."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    begin
+      lbs = backend.describe_load_balancers(load_balancer_names: [elb_name]).load_balancer_descriptions
+      @exists = true
+      # Load balancer names are uniq; we will either have 0 or 1 result
+      unpack_describe_elbs_response(lbs.first)
+    rescue Aws::ElasticLoadBalancing::Errors::LoadBalancerNotFound
+      @exists = false
+      populate_as_missing
+    end
+  end
+
+  def unpack_describe_elbs_response(lb_struct)
+    @availability_zones = lb_struct.availability_zones
+    @dns_name = lb_struct.dns_name
+    @external_ports = lb_struct.listener_descriptions.map { |ld| ld.listener.load_balancer_port }
+    @instance_ids = lb_struct.instances.map(&:instance_id)
+    @internal_ports = lb_struct.listener_descriptions.map { |ld| ld.listener.instance_port }
+    @elb_name = lb_struct.load_balancer_name
+    @security_group_ids = lb_struct.security_groups
+    @subnet_ids = lb_struct.subnets
+    @vpc_id = lb_struct.vpc_id
+  end
+
+  def populate_as_missing
+    @availability_zones = []
+    @external_ports = []
+    @instance_ids = []
+    @internal_ports = []
+    @security_group_ids = []
+    @subnet_ids = []
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::ElasticLoadBalancing::Client
+
+      def describe_load_balancers(query = {})
+        aws_service_client.describe_load_balancers(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_elbs.rb

@@ -0,0 +1,84 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-elasticloadbalancing"
+
+class AwsElbs < Inspec.resource(1)
+  name "aws_elbs"
+  desc "Verifies settings for AWS ELBs (classic Elastic Load Balancers) in bulk"
+  example <<~EXAMPLE
+    describe aws_elbs do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_elbs does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.add_accessor(:entries)
+    .add_accessor(:where)
+    .add(:exists?) { |table| !table.params.empty? }
+    .add(:count) { |table| table.params.count }
+    .add(:availability_zones, field: :availability_zones, style: :simple)
+    .add(:dns_names, field: :dns_name)
+    .add(:external_ports, field: :external_ports, style: :simple)
+    .add(:instance_ids, field: :instance_ids, style: :simple)
+    .add(:internal_ports, field: :internal_ports, style: :simple)
+    .add(:elb_names, field: :elb_name)
+    .add(:security_group_ids, field: :security_group_ids, style: :simple)
+    .add(:subnet_ids, field: :subnet_ids, style: :simple)
+    .add(:vpc_ids, field: :vpc_id, style: :simple)
+  filter.connect(self, :table)
+
+  def to_s
+    "AWS ELBs"
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = []
+    pagination_opts = {}
+    loop do
+      api_result = backend.describe_load_balancers(pagination_opts)
+      @table += unpack_describe_elbs_response(api_result.load_balancer_descriptions)
+      break unless api_result.next_marker
+
+      pagination_opts = { marker: api_result.next_marker }
+    end
+  end
+
+  def unpack_describe_elbs_response(load_balancers)
+    load_balancers.map do |lb_struct|
+      {
+        availability_zones: lb_struct.availability_zones,
+        dns_name: lb_struct.dns_name,
+        external_ports: lb_struct.listener_descriptions.map { |ld| ld.listener.load_balancer_port },
+        instance_ids: lb_struct.instances.map(&:instance_id),
+        internal_ports: lb_struct.listener_descriptions.map { |ld| ld.listener.instance_port },
+        elb_name: lb_struct.load_balancer_name,
+        security_group_ids: lb_struct.security_groups,
+        subnet_ids: lb_struct.subnets,
+        vpc_id: lb_struct.vpc_id,
+      }
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::ElasticLoadBalancing::Client
+
+      def describe_load_balancers(query = {})
+        aws_service_client.describe_load_balancers(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_flow_log.rb

@@ -0,0 +1,106 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsFlowLog < Inspec.resource(1)
+  name "aws_flow_log"
+  supports platform: "aws"
+  desc "This resource is used to test the attributes of a Flow Log."
+  example <<~EXAMPLE
+    describe aws_flow_log('fl-9c718cf5') do
+      it { should exist }
+    end
+  EXAMPLE
+
+  include AwsSingularResourceMixin
+
+  def to_s
+    "AWS Flow Log #{id}"
+  end
+
+  def resource_type
+    case @resource_id
+    when /^eni/
+      @resource_type = "eni"
+    when /^subnet/
+      @resource_type = "subnet"
+    when /^vpc/
+      @resource_type = "vpc"
+    end
+  end
+
+  def attached_to_eni?
+    resource_type.eql?("eni") ? true : false
+  end
+
+  def attached_to_subnet?
+    resource_type.eql?("subnet") ? true : false
+  end
+
+  def attached_to_vpc?
+    resource_type.eql?("vpc") ? true : false
+  end
+
+  attr_reader :log_group_name, :resource_id, :flow_log_id
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: %i{flow_log_id subnet_id vpc_id},
+      allowed_scalar_name: :flow_log_id,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.empty?
+      raise ArgumentError,
+            "aws_flow_log requires a parameter: flow_log_id, subnet_id, or vpc_id"
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    resp = backend.describe_flow_logs(filter_args)
+    flow_log = resp.to_h[:flow_logs].first
+    @exists = !flow_log.nil?
+    unless flow_log.nil?
+      @log_group_name = flow_log[:log_group_name]
+      @resource_id = flow_log[:resource_id]
+      @flow_log_id = flow_log[:flow_log_id]
+    end
+  end
+
+  def filter_args
+    if @flow_log_id
+      { filter: [{ name: "flow-log-id", values: [@flow_log_id] }] }
+    elsif @subnet_id || @vpc_id
+      filter = @subnet_id || @vpc_id
+      { filter: [{ name: "resource-id", values: [filter] }] }
+    end
+  end
+
+  def id
+    return @flow_log_id if @flow_log_id
+    return @subnet_id if @subnet_id
+    return @vpc_id if @vpc_id
+  end
+
+  def backend
+    BackendFactory.create(inspec_runner)
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      AwsFlowLog::BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_flow_logs(query)
+        aws_service_client.describe_flow_logs(query)
+      end
+    end
+  end
+end