inspec 4.56.17 → 5.7.9

data/lib/resources/aws/aws_cloudtrail_trails.rb

@@ -1,51 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-cloudtrail"
-
-class AwsCloudTrailTrails < Inspec.resource(1)
-  name "aws_cloudtrail_trails"
-  desc "Verifies settings for AWS CloudTrail Trails in bulk"
-  example <<~EXAMPLE
-    describe aws_cloudtrail_trails do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-
-  def validate_params(resource_params)
-    unless resource_params.empty?
-      raise ArgumentError, "aws_cloudtrail_trails does not accept resource parameters."
-    end
-
-    resource_params
-  end
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-  filter.register_column(:trail_arns, field: :trail_arn)
-  filter.register_column(:names, field: :name)
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def to_s
-    "CloudTrail Trails"
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @table = backend.describe_trails({}).to_h[:trail_list]
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      AwsCloudTrailTrails::BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::CloudTrail::Client
-
-      def describe_trails(query)
-        aws_service_client.describe_trails(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_cloudwatch_alarm.rb

@@ -1,67 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-cloudwatch"
-
-class AwsCloudwatchAlarm < Inspec.resource(1)
-  name "aws_cloudwatch_alarm"
-  desc <<~EXAMPLE
-    # Look for a specific alarm
-    aws_cloudwatch_alarm(
-      metric_name: 'my-metric-name',
-      metric_namespace: 'my-metric-namespace',
-    ) do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :alarm_actions, :alarm_name, :metric_name, :metric_namespace
-
-  private
-
-  def validate_params(raw_params)
-    recognized_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: %i{metric_name metric_namespace}
-    )
-    validated_params = {}
-    # Currently you must specify exactly metric_name and metric_namespace
-    %i{metric_name metric_namespace}.each do |param|
-      raise ArgumentError, "Missing resource param #{param}" unless recognized_params.key?(param)
-
-      validated_params[param] = recognized_params.delete(param)
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    aws_alarms = BackendFactory.create(inspec_runner).describe_alarms_for_metric(
-      metric_name: @metric_name,
-      namespace: @metric_namespace
-    )
-    if aws_alarms.metric_alarms.empty?
-      @exists = false
-    elsif aws_alarms.metric_alarms.count > 1
-      alarms = aws_alarms.metric_alarms.map(&:alarm_name)
-      raise "More than one Cloudwatch Alarm was matched. Try using " \
-        "more specific resource parameters. Alarms matched: #{alarms.join(", ")}"
-    else
-      @alarm_actions = aws_alarms.metric_alarms.first.alarm_actions
-      @alarm_name = aws_alarms.metric_alarms.first.alarm_name
-      @exists = true
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      AwsCloudwatchAlarm::BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::CloudWatch::Client
-
-      def describe_alarms_for_metric(query)
-        aws_service_client.describe_alarms_for_metric(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb

@@ -1,105 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-cloudwatchlogs"
-
-class AwsCloudwatchLogMetricFilter < Inspec.resource(1)
-  name "aws_cloudwatch_log_metric_filter"
-  desc "Verifies individual Cloudwatch Log Metric Filters"
-  example <<~EXAMPLE
-    # Look for a LMF by its filter name and log group name.  This combination
-    # will always either find at most one LMF - no duplicates.
-    describe aws_cloudwatch_log_metric_filter(
-      filter_name: 'my-filter',
-      log_group_name: 'my-log-group'
-    ) do
-      it { should exist }
-    end
-
-    # Search for an LMF by pattern and log group.
-    # This could result in an error if the results are not unique.
-    describe aws_cloudwatch_log_metric_filter(
-      log_group_name:  'my-log-group',
-      pattern: 'my-filter'
-    ) do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-  include AwsSingularResourceMixin
-  attr_reader :filter_name, :log_group_name, :metric_name, :metric_namespace, :pattern
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: %i{filter_name log_group_name pattern}
-    )
-    if validated_params.empty?
-      raise ArgumentError, "You must provide either filter_name, log_group, or pattern to aws_cloudwatch_log_metric_filter."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    # get a backend
-    backend = BackendFactory.create(inspec_runner)
-
-    # Perform query with remote filtering
-    aws_search_criteria = {}
-    aws_search_criteria[:filter_name] = filter_name if filter_name
-    aws_search_criteria[:log_group_name] = log_group_name if log_group_name
-    begin
-      aws_results = backend.describe_metric_filters(aws_search_criteria)
-    rescue Aws::CloudWatchLogs::Errors::ResourceNotFoundException
-      @exists = false
-      return
-    end
-
-    # Then perform local filtering
-    if pattern
-      aws_results.select! { |lmf| lmf.filter_pattern == pattern }
-    end
-
-    # Check result count.  We're a singular resource and can tolerate
-    # 0 or 1 results, not multiple.
-    if aws_results.count > 1
-      raise "More than one result was returned, but aws_cloudwatch_log_metric_filter "\
-            "can only handle a single AWS resource.  Consider passing more resource "\
-            "parameters to narrow down the search."
-    elsif aws_results.empty?
-      @exists = false
-    else
-      @exists = true
-      # Unpack the funny-shaped object we got back from AWS into our instance vars
-      lmf = aws_results.first
-      @filter_name = lmf.filter_name
-      @log_group_name = lmf.log_group_name
-      @pattern = lmf.filter_pattern # Note inconsistent name
-      # AWS SDK returns an array of metric transformations
-      # but only allows one (mandatory) entry, let's flatten that
-      @metric_name = lmf.metric_transformations.first.metric_name
-      @metric_namespace = lmf.metric_transformations.first.metric_namespace
-    end
-  end
-
-  class Backend
-    # Uses the cloudwatch API to really talk to AWS
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::CloudWatchLogs::Client
-
-      def describe_metric_filters(criteria)
-        query = {}
-        query[:filter_name_prefix] = criteria[:filter_name] if criteria[:filter_name]
-        query[:log_group_name] = criteria[:log_group_name] if criteria[:log_group_name]
-        # 'pattern' is not available as a remote filter,
-        # we filter it after the fact locally
-        # TODO: handle pagination?  Max 50/page.  Maybe you want a plural resource?
-        aws_response = aws_service_client.describe_metric_filters(query)
-        aws_response.metric_filters
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_config_delivery_channel.rb

@@ -1,74 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-configservice"
-
-class AwsConfigDeliveryChannel < Inspec.resource(1)
-  name "aws_config_delivery_channel"
-  desc "Verifies settings for AWS Config Delivery Channel"
-  example <<~EXAMPLE
-    describe aws_config_delivery_channel do
-      it { should exist }
-      its('s3_bucket_name') { should eq 'my_bucket' }
-      its('sns_topic_arn') { should eq arn:aws:sns:us-east-1:721741954427:sns_topic' }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :channel_name, :s3_bucket_name, :s3_key_prefix, :sns_topic_arn,
-              :delivery_frequency_in_hours
-
-  def to_s
-    "Config_Delivery_Channel: #{@channel_name}"
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:channel_name],
-      allowed_scalar_name: :channel_name,
-      allowed_scalar_type: String
-    )
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    query = @channel_name ? { delivery_channel_names: [@channel_name] } : {}
-    response = backend.describe_delivery_channels(query)
-
-    @exists = !response.delivery_channels.empty?
-    return unless exists?
-
-    channel = response.delivery_channels.first.to_h
-    @channel_name = channel[:name]
-    @s3_bucket_name = channel[:s3_bucket_name]
-    @s3_key_prefix = channel[:s3_key_prefix]
-    @sns_topic_arn = channel[:sns_topic_arn]
-    @delivery_frequency_in_hours = channel.dig(:config_snapshot_delivery_properties, :delivery_frequency)
-    frequencies = {
-      "One_Hour" => 1,
-      "TwentyFour_Hours" => 24,
-      "Three_Hours" => 3,
-      "Six_Hours" => 6,
-      "Twelve_Hours" => 12,
-    }
-    @delivery_frequency_in_hours = frequencies[@delivery_frequency_in_hours]
-  rescue Aws::ConfigService::Errors::NoSuchDeliveryChannelException
-    @exists = false
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::ConfigService::Client
-
-      def describe_delivery_channels(query = {})
-        aws_service_client.describe_delivery_channels(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_config_recorder.rb

@@ -1,99 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-configservice"
-
-class AwsConfigurationRecorder < Inspec.resource(1)
-  name "aws_config_recorder"
-  desc "Verifies settings for AWS Configuration Recorder"
-  example <<~EXAMPLE
-    describe aws_config_recorder('My_Recorder') do
-      it { should exist }
-      it { should be_recording }
-      it { should be_all_supported }
-      it { should have_include_global_resource_types }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :role_arn, :resource_types, :recorder_name
-
-  def to_s
-    "Configuration_Recorder: #{@recorder_name}"
-  end
-
-  def recording_all_resource_types?
-    @recording_all_resource_types
-  end
-
-  def recording_all_global_types?
-    @recording_all_global_types
-  end
-
-  def status
-    return {} unless @exists
-
-    backend = BackendFactory.create(inspec_runner)
-    catch_aws_errors do
-      response = backend.describe_configuration_recorder_status(configuration_recorder_names: [@recorder_name])
-      @status = response.configuration_recorders_status.first.to_h
-    end
-  end
-
-  def recording?
-    return unless @exists
-
-    status[:recording]
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:recorder_name],
-      allowed_scalar_name: :recorder_name,
-      allowed_scalar_type: String
-    )
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    query = @recorder_name ? { configuration_recorder_names: [@recorder_name] } : {}
-    response = backend.describe_configuration_recorders(query)
-
-    @exists = !response.configuration_recorders.empty?
-    return unless exists?
-
-    if response.configuration_recorders.count > 1
-      raise ArgumentError, "Internal error: unexpectedly received multiple AWS Config Recorder objects from API; expected to be singleton per-region.  Please file a bug report at https://github.com/chef/inspec/issues ."
-    end
-
-    recorder = response.configuration_recorders.first.to_h
-    @recorder_name = recorder[:name]
-    @role_arn = recorder[:role_arn]
-    @recording_all_resource_types = recorder[:recording_group][:all_supported]
-    @recording_all_global_types = recorder[:recording_group][:include_global_resource_types]
-    @resource_types = recorder[:recording_group][:resource_types]
-  rescue Aws::ConfigService::Errors::NoSuchConfigurationRecorderException
-    @exists = false
-    nil
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::ConfigService::Client
-
-      def describe_configuration_recorders(query)
-        aws_service_client.describe_configuration_recorders(query)
-      end
-
-      def describe_configuration_recorder_status(query)
-        aws_service_client.describe_configuration_recorder_status(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_ebs_volume.rb

@@ -1,127 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsEbsVolume < Inspec.resource(1)
-  name "aws_ebs_volume"
-  desc "Verifies settings for an EBS volume"
-
-  example <<~EXAMPLE
-    describe aws_ebs_volume('vol-123456') do
-      it { should be_encrypted }
-      its('size') { should cmp 8 }
-    end
-
-    describe aws_ebs_volume(name: 'my-volume') do
-      its('encrypted') { should eq true }
-      its('iops') { should cmp 100 }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
-  def initialize(opts, conn = nil)
-    @opts = opts
-    @display_name = opts.is_a?(Hash) ? @opts[:name] : opts
-    @ec2_client = conn ? conn.ec2_client : inspec_runner.backend.aws_client(Aws::EC2::Client)
-    @ec2_resource = conn ? conn.ec2_resource : inspec_runner.backend.aws_resource(Aws::EC2::Resource, {})
-  end
-
-  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
-  # Copied from resource_support/aws/aws_resource_mixin.rb
-  def catch_aws_errors
-    yield
-  rescue Aws::Errors::MissingCredentialsError
-    # The AWS error here is unhelpful:
-    # "unable to sign request without credentials set"
-    Inspec::Log.error "It appears that you have not set your AWS credentials. You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target. See https://docs.chef.io/inspec/platforms/ for details."
-    fail_resource("No AWS credentials available")
-  rescue Aws::Errors::ServiceError => e
-    fail_resource(e.message)
-  end
-
-  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
-  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
-  def inspec_runner
-    # When running under inspec-cli, we have an 'inspec' method that
-    # returns the runner. When running under unit tests, we don't
-    # have that, but we still have to call this to pass something
-    # (nil is OK) to the backend.
-    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
-    # TODO: remove after rewrite to include AwsSingularResource
-    inspec if respond_to?(:inspec)
-  end
-
-  def id
-    return @volume_id if defined?(@volume_id)
-
-    catch_aws_errors do
-      if @opts.is_a?(Hash)
-        first = @ec2_resource.volumes(
-          {
-            filters: [{
-              name: "tag:Name",
-              values: [@opts[:name]],
-            }],
-          }
-        ).first
-        # catch case where the volume is not known
-        @volume_id = first.id unless first.nil?
-      else
-        @volume_id = @opts
-      end
-    end
-  end
-  alias volume_id id
-
-  def exists?
-    !volume.nil?
-  end
-
-  def encrypted?
-    volume.encrypted
-  end
-
-  # attributes that we want to expose
-  %w{
-    availability_zone encrypted iops kms_key_id size snapshot_id state volume_type
-  }.each do |attribute|
-    define_method attribute do
-      catch_aws_errors do
-        volume.send(attribute) if volume
-      end
-    end
-  end
-
-  # Don't document this - it's a bit hard to use.  Our current doctrine
-  # is to use dumb things, like arrays of strings - use security_group_ids instead.
-  def security_groups
-    catch_aws_errors do
-      @security_groups ||= volume.security_groups.map do |sg|
-        { id: sg.group_id, name: sg.group_name }
-      end
-    end
-  end
-
-  def security_group_ids
-    catch_aws_errors do
-      @security_group_ids ||= volume.security_groups.map(&:group_id)
-    end
-  end
-
-  def tags
-    catch_aws_errors do
-      @tags ||= volume.tags.map { |tag| { key: tag.key, value: tag.value } }
-    end
-  end
-
-  def to_s
-    "EBS Volume #{@display_name}"
-  end
-
-  private
-
-  def volume
-    catch_aws_errors { @volume ||= @ec2_resource.volume(id) }
-  end
-end

data/lib/resources/aws/aws_ebs_volumes.rb

@@ -1,69 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsEbsVolumes < Inspec.resource(1)
-  name "aws_ebs_volumes"
-  desc "Verifies settings for AWS EBS Volumes in bulk"
-  example <<~EXAMPLE
-    describe aws_ebs_volumes do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-  def validate_params(resource_params)
-    unless resource_params.empty?
-      raise ArgumentError, "aws_ebs_volumes does not accept resource parameters."
-    end
-
-    resource_params
-  end
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-  filter.register_column(:volume_ids, field: :volume_id)
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def to_s
-    "EBS Volumes"
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @table = []
-    pagination_opts = {}
-    loop do
-      api_result = backend.describe_volumes(pagination_opts)
-      @table += unpack_describe_volumes_response(api_result.volumes)
-      break unless api_result.next_token
-
-      pagination_opts = { next_token: api_result.next_token }
-    end
-  end
-
-  def unpack_describe_volumes_response(volumes)
-    volume_rows = []
-    volumes.each do |res|
-      volume_rows += res.attachments.map do |volume_struct|
-        {
-          volume_id: volume_struct.volume_id,
-        }
-      end
-    end
-    volume_rows
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::EC2::Client
-
-      def describe_volumes(query)
-        aws_service_client.describe_volumes(query)
-      end
-    end
-  end
-end