inspec 4.3.2 → 4.6.3

data/lib/resources/aws/aws_ebs_volumes.rb

@@ -1,17 +1,21 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
 class AwsEbsVolumes < Inspec.resource(1)
-  name 'aws_ebs_volumes'
-  desc 'Verifies settings for AWS EBS Volumes in bulk'
+  name "aws_ebs_volumes"
+  desc "Verifies settings for AWS EBS Volumes in bulk"
   example <<~EXAMPLE
     describe aws_ebs_volumes do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
   def validate_params(resource_params)
     unless resource_params.empty?
-      raise ArgumentError, 'aws_ebs_volumes does not accept resource parameters.'
+      raise ArgumentError, "aws_ebs_volumes does not accept resource parameters."
     end
     resource_params
   end
@@ -23,7 +27,7 @@ class AwsEbsVolumes < Inspec.resource(1)
   filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
-    'EBS Volumes'
+    "EBS Volumes"
   end
 
   def fetch_from_api

data/lib/resources/aws/aws_ec2_instance.rb

@@ -1,7 +1,10 @@
-# author: Christoph Hartmann
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
 class AwsEc2Instance < Inspec.resource(1)
-  name 'aws_ec2_instance'
-  desc 'Verifies settings for an EC2 instance'
+  name "aws_ec2_instance"
+  desc "Verifies settings for an EC2 instance"
 
   example <<~EXAMPLE
     describe aws_ec2_instance('i-123456') do
@@ -14,7 +17,7 @@ class AwsEc2Instance < Inspec.resource(1)
       it { should have_roles }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
   def initialize(opts, conn = nil)
@@ -33,7 +36,7 @@ class AwsEc2Instance < Inspec.resource(1)
     # The AWS error here is unhelpful:
     # "unable to sign request without credentials set"
     Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
-    fail_resource('No AWS credentials available')
+    fail_resource("No AWS credentials available")
   rescue Aws::Errors::ServiceError => e
     fail_resource e.message
   end
@@ -57,10 +60,10 @@ class AwsEc2Instance < Inspec.resource(1)
         first = @ec2_resource.instances(
           {
             filters: [{
-              name: 'tag:Name',
+              name: "tag:Name",
               values: [@opts[:name]],
             }],
-          },
+          }
         ).first
         # catch case where the instance is not known
         @instance_id = first.id unless first.nil?
@@ -88,7 +91,7 @@ class AwsEc2Instance < Inspec.resource(1)
     pending running shutting-down
     terminated stopping stopped unknown
   }.each do |state_name|
-    define_method state_name.tr('-', '_') + '?' do
+    define_method state_name.tr("-", "_") + "?" do
       state == state_name
     end
   end
@@ -111,9 +114,9 @@ class AwsEc2Instance < Inspec.resource(1)
   # is to use dumb things, like arrays of strings - use security_group_ids instead.
   def security_groups
     catch_aws_errors do
-      @security_groups ||= instance.security_groups.map { |sg|
+      @security_groups ||= instance.security_groups.map do |sg|
         { id: sg.group_id, name: sg.group_name }
-      }
+      end
     end
   end
 
@@ -139,7 +142,7 @@ class AwsEc2Instance < Inspec.resource(1)
 
       if instance_profile
         roles = @iam_resource.instance_profile(
-          instance_profile.arn.gsub(%r{^.*\/}, ''),
+          instance_profile.arn.gsub(%r{^.*\/}, "")
         ).roles
       else
         roles = nil

data/lib/resources/aws/aws_ec2_instances.rb

@@ -1,17 +1,21 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
 class AwsEc2Instances < Inspec.resource(1)
-  name 'aws_ec2_instances'
-  desc 'Verifies settings for AWS EC2 Instances in bulk'
+  name "aws_ec2_instances"
+  desc "Verifies settings for AWS EC2 Instances in bulk"
   example <<~EXAMPLE
     describe aws_ec2_instances do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
   def validate_params(resource_params)
     unless resource_params.empty?
-      raise ArgumentError, 'aws_ec2_instances does not accept resource parameters.'
+      raise ArgumentError, "aws_ec2_instances does not accept resource parameters."
     end
     resource_params
   end
@@ -23,7 +27,7 @@ class AwsEc2Instances < Inspec.resource(1)
   filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
-    'EC2 Instances'
+    "EC2 Instances"
   end
 
   def fetch_from_api

data/lib/resources/aws/aws_ecs_cluster.rb

@@ -1,13 +1,17 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ecs"
+
 class AwsEcsCluster < Inspec.resource(1)
-  name 'aws_ecs_cluster'
-  desc 'Verifies settings for an ECS cluster'
+  name "aws_ecs_cluster"
+  desc "Verifies settings for an ECS cluster"
 
   example <<~EXAMPLE
     describe aws_ecs_cluster('default') do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :cluster_arn, :cluster_name, :status,
@@ -25,7 +29,7 @@ class AwsEcsCluster < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:cluster_name],
       allowed_scalar_name: :cluster_name,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     validated_params
@@ -61,9 +65,9 @@ class AwsEcsCluster < Inspec.resource(1)
   end
 
   def populate_as_missing
-    @cluster_arn = ''
-    @cluster_name = ''
-    @status = ''
+    @cluster_arn = ""
+    @cluster_name = ""
+    @status = ""
     @registered_container_instances_count = 0
     @running_tasks_count = 0
     @pending_tasks_count = 0

data/lib/resources/aws/aws_eks_cluster.rb

@@ -1,13 +1,17 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-eks"
+
 class AwsEksCluster < Inspec.resource(1)
-  name 'aws_eks_cluster'
-  desc 'Verifies settings for an EKS cluster'
+  name "aws_eks_cluster"
+  desc "Verifies settings for an EKS cluster"
 
   example <<~EXAMPLE
     describe aws_eks_cluster('default') do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :version, :arn, :cluster_name, :certificate_authority, :name,
@@ -31,11 +35,11 @@ class AwsEksCluster < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:cluster_name],
       allowed_scalar_name: :cluster_name,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     if validated_params.empty?
-      raise ArgumentError, 'You must provide a cluster_name to aws_eks_cluster.'
+      raise ArgumentError, "You must provide a cluster_name to aws_eks_cluster."
     end
 
     validated_params
@@ -66,10 +70,10 @@ class AwsEksCluster < Inspec.resource(1)
     @vpc_id = cluster[:resources_vpc_config][:vpc_id]
     @role_arn = cluster[:role_arn]
     @status = cluster[:status]
-    @active = cluster[:status] == 'ACTIVE'
-    @failed = cluster[:status] == 'FAILED'
-    @creating = cluster[:status] == 'CREATING'
-    @deleting = cluster[:status] == 'DELETING'
+    @active = cluster[:status] == "ACTIVE"
+    @failed = cluster[:status] == "FAILED"
+    @creating = cluster[:status] == "CREATING"
+    @deleting = cluster[:status] == "DELETING"
   end
 
   def populate_as_missing

data/lib/resources/aws/aws_elb.rb

@@ -1,12 +1,16 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-elasticloadbalancing"
+
 class AwsElb < Inspec.resource(1)
-  name 'aws_elb'
-  desc 'Verifies settings for AWS Elastic Load Balancer'
+  name "aws_elb"
+  desc "Verifies settings for AWS Elastic Load Balancer"
   example <<~EXAMPLE
     describe aws_elb('myelb') do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :availability_zones, :dns_name, :elb_name, :external_ports,
@@ -24,11 +28,11 @@ class AwsElb < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:elb_name],
       allowed_scalar_name: :elb_name,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     if validated_params.empty?
-      raise ArgumentError, 'You must provide a elb_name to aws_elb.'
+      raise ArgumentError, "You must provide a elb_name to aws_elb."
     end
 
     validated_params

data/lib/resources/aws/aws_elbs.rb

@@ -1,17 +1,21 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-elasticloadbalancing"
+
 class AwsElbs < Inspec.resource(1)
-  name 'aws_elbs'
-  desc 'Verifies settings for AWS ELBs (classic Elastic Load Balancers) in bulk'
+  name "aws_elbs"
+  desc "Verifies settings for AWS ELBs (classic Elastic Load Balancers) in bulk"
   example <<~EXAMPLE
     describe aws_elbs do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
   def validate_params(resource_params)
     unless resource_params.empty?
-      raise ArgumentError, 'aws_elbs does not accept resource parameters.'
+      raise ArgumentError, "aws_elbs does not accept resource parameters."
     end
     resource_params
   end
@@ -34,7 +38,7 @@ class AwsElbs < Inspec.resource(1)
   filter.connect(self, :table)
 
   def to_s
-    'AWS ELBs'
+    "AWS ELBs"
   end
 
   def fetch_from_api

data/lib/resources/aws/aws_flow_log.rb

@@ -1,7 +1,11 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
 class AwsFlowLog < Inspec.resource(1)
-  name 'aws_flow_log'
-  supports platform: 'aws'
-  desc 'This resource is used to test the attributes of a Flow Log.'
+  name "aws_flow_log"
+  supports platform: "aws"
+  desc "This resource is used to test the attributes of a Flow Log."
   example <<~EXAMPLE
     describe aws_flow_log('fl-9c718cf5') do
       it { should exist }
@@ -17,24 +21,24 @@ class AwsFlowLog < Inspec.resource(1)
   def resource_type
     case @resource_id
     when /^eni/
-      @resource_type = 'eni'
+      @resource_type = "eni"
     when /^subnet/
-      @resource_type = 'subnet'
+      @resource_type = "subnet"
     when /^vpc/
-      @resource_type = 'vpc'
+      @resource_type = "vpc"
     end
   end
 
   def attached_to_eni?
-    resource_type.eql?('eni') ? true : false
+    resource_type.eql?("eni") ? true : false
   end
 
   def attached_to_subnet?
-    resource_type.eql?('subnet') ? true : false
+    resource_type.eql?("subnet") ? true : false
   end
 
   def attached_to_vpc?
-    resource_type.eql?('vpc') ? true : false
+    resource_type.eql?("vpc") ? true : false
   end
 
   attr_reader :log_group_name, :resource_id, :flow_log_id
@@ -46,12 +50,12 @@ class AwsFlowLog < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:flow_log_id, :subnet_id, :vpc_id],
       allowed_scalar_name: :flow_log_id,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     if validated_params.empty?
       raise ArgumentError,
-            'aws_flow_log requires a parameter: flow_log_id, subnet_id, or vpc_id'
+            "aws_flow_log requires a parameter: flow_log_id, subnet_id, or vpc_id"
     end
 
     validated_params
@@ -72,10 +76,10 @@ class AwsFlowLog < Inspec.resource(1)
 
   def filter_args
     if @flow_log_id
-      { filter: [{ name: 'flow-log-id', values: [@flow_log_id] }] }
+      { filter: [{ name: "flow-log-id", values: [@flow_log_id] }] }
     elsif @subnet_id || @vpc_id
       filter = @subnet_id || @vpc_id
-      { filter: [{ name: 'resource-id', values: [filter] }] }
+      { filter: [{ name: "resource-id", values: [filter] }] }
     end
   end
 

data/lib/resources/aws/aws_iam_access_key.rb

@@ -1,6 +1,10 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamAccessKey < Inspec.resource(1)
-  name 'aws_iam_access_key'
-  desc 'Verifies settings for an individual IAM access key'
+  name "aws_iam_access_key"
+  desc "Verifies settings for an individual IAM access key"
   example <<~EXAMPLE
     describe aws_iam_access_key(username: 'username', id: 'access-key id') do
       it { should exist }
@@ -9,7 +13,7 @@ class AwsIamAccessKey < Inspec.resource(1)
       its('last_used_date') { should be > Time.now - 90 * 86400 }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :access_key_id, :create_date, :status, :username
@@ -20,22 +24,22 @@ class AwsIamAccessKey < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:username, :id, :access_key_id],
       allowed_scalar_name: :access_key_id,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     # id and access_key_id are aliases; standardize on access_key_id
     recognized_params[:access_key_id] = recognized_params.delete(:id) if recognized_params.key?(:id)
 
     # Validate format of access_key_id
-    if recognized_params[:access_key_id] and
-       recognized_params[:access_key_id] !~ /^AKIA[0-9A-Z]{16}$/
-      raise ArgumentError, 'Incorrect format for Access Key ID - expected AKIA followed ' \
-            'by 16 letters or numbers'
+    if recognized_params[:access_key_id] &&
+        recognized_params[:access_key_id] !~ (/^AKIA[0-9A-Z]{16}$/)
+      raise ArgumentError, "Incorrect format for Access Key ID - expected AKIA followed " \
+            "by 16 letters or numbers"
     end
 
     # One of username and access_key_id is required
     if recognized_params[:username].nil? && recognized_params[:access_key_id].nil?
-      raise ArgumentError, 'You must provide at lease one of access_key_id or username to aws_iam_access_key'
+      raise ArgumentError, "You must provide at lease one of access_key_id or username to aws_iam_access_key"
     end
 
     recognized_params
@@ -43,7 +47,7 @@ class AwsIamAccessKey < Inspec.resource(1)
 
   def active?
     return nil unless exists?
-    status == 'Active'
+    status == "Active"
   end
 
   def to_s
@@ -80,7 +84,7 @@ class AwsIamAccessKey < Inspec.resource(1)
     end
 
     if access_keys.count > 1
-      raise 'More than one access key matched for aws_iam_access_key.  Use more specific paramaters, such as access_key_id.'
+      raise "More than one access key matched for aws_iam_access_key.  Use more specific paramaters, such as access_key_id."
     end
 
     @exists = true

data/lib/resources/aws/aws_iam_access_keys.rb

@@ -1,12 +1,16 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamAccessKeys < Inspec.resource(1)
-  name 'aws_iam_access_keys'
-  desc 'Verifies settings for AWS IAM Access Keys in bulk'
+  name "aws_iam_access_keys"
+  desc "Verifies settings for AWS IAM Access Keys in bulk"
   example <<~EXAMPLE
     describe aws_iam_access_keys do
       it { should_not exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
 
@@ -15,15 +19,15 @@ class AwsIamAccessKeys < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:username, :id, :access_key_id, :created_date],
       allowed_scalar_name: :access_key_id,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     # id and access_key_id are aliases; standardize on access_key_id
     recognized_params[:access_key_id] = recognized_params.delete(:id) if recognized_params.key?(:id)
-    if recognized_params[:access_key_id] and
-       recognized_params[:access_key_id] !~ /^AKIA[0-9A-Z]{16}$/
-      raise 'Incorrect format for Access Key ID - expected AKIA followed ' \
-            'by 16 letters or numbers'
+    if recognized_params[:access_key_id] &&
+        recognized_params[:access_key_id] !~ (/^AKIA[0-9A-Z]{16}$/)
+      raise "Incorrect format for Access Key ID - expected AKIA followed " \
+            "by 16 letters or numbers"
     end
 
     recognized_params
@@ -56,7 +60,7 @@ class AwsIamAccessKeys < Inspec.resource(1)
   filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
-    'IAM Access Keys'
+    "IAM Access Keys"
   end
 
   # Internal support class.  This is used to fetch
@@ -123,12 +127,12 @@ class AwsIamAccessKeys < Inspec.resource(1)
 
       def add_synthetic_fields(key_info, user_details) # rubocop:disable Metrics/AbcSize
         key_info[:id] = key_info[:access_key_id]
-        key_info[:active] = key_info[:status] == 'Active'
-        key_info[:inactive] = key_info[:status] != 'Active'
-        key_info[:created_hours_ago] = ((Time.now - key_info[:create_date]) / (60*60)).to_i
+        key_info[:active] = key_info[:status] == "Active"
+        key_info[:inactive] = key_info[:status] != "Active"
+        key_info[:created_hours_ago] = ((Time.now - key_info[:create_date]) / (60 * 60)).to_i
         key_info[:created_days_ago] = (key_info[:created_hours_ago] / 24).to_i
         key_info[:user_created_date] = user_details[:create_date]
-        key_info[:created_with_user] = (key_info[:create_date] - key_info[:user_created_date]).abs < 1.0/24.0
+        key_info[:created_with_user] = (key_info[:create_date] - key_info[:user_created_date]).abs < 1.0 / 24.0
 
         # Last used is a separate API call
         iam_client = aws_service_client
@@ -139,8 +143,8 @@ class AwsIamAccessKeys < Inspec.resource(1)
         key_info[:never_used] = last_used.nil?
         key_info[:last_used_time] = last_used
         return unless last_used
-        key_info[:last_used_hours_ago] = ((Time.now - last_used) / (60*60)).to_i
-        key_info[:last_used_days_ago] = (key_info[:last_used_hours_ago]/24).to_i
+        key_info[:last_used_hours_ago] = ((Time.now - last_used) / (60 * 60)).to_i
+        key_info[:last_used_days_ago] = (key_info[:last_used_hours_ago] / 24).to_i
       end
     end
   end