inspec 4.56.19 → 5.7.9

data/lib/resources/aws/aws_ec2_instance.rb

@@ -1,162 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsEc2Instance < Inspec.resource(1)
-  name "aws_ec2_instance"
-  desc "Verifies settings for an EC2 instance"
-
-  example <<~EXAMPLE
-    describe aws_ec2_instance('i-123456') do
-      it { should be_running }
-      it { should have_roles }
-    end
-
-    describe aws_ec2_instance(name: 'my-instance') do
-      it { should be_running }
-      it { should have_roles }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
-  def initialize(opts, conn = nil)
-    @opts = opts
-    @opts.is_a?(Hash) ? @display_name = @opts[:name] : @display_name = opts
-    @ec2_client = conn ? conn.ec2_client : inspec_runner.backend.aws_client(Aws::EC2::Client)
-    @ec2_resource = conn ? conn.ec2_resource : inspec_runner.backend.aws_resource(Aws::EC2::Resource, {})
-    @iam_resource = conn ? conn.iam_resource : inspec_runner.backend.aws_resource(Aws::IAM::Resource, {})
-  end
-
-  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
-  # Copied from resource_support/aws/aws_resource_mixin.rb
-  def catch_aws_errors
-    yield
-  rescue Aws::Errors::MissingCredentialsError
-    # The AWS error here is unhelpful:
-    # "unable to sign request without credentials set"
-    Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://docs.chef.io/inspec/platforms/ for details."
-    fail_resource("No AWS credentials available")
-  rescue Aws::Errors::ServiceError => e
-    fail_resource e.message
-  end
-
-  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
-  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
-  def inspec_runner
-    # When running under inspec-cli, we have an 'inspec' method that
-    # returns the runner. When running under unit tests, we don't
-    # have that, but we still have to call this to pass something
-    # (nil is OK) to the backend.
-    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
-    # TODO: remove after rewrite to include AwsSingularResource
-    inspec if respond_to?(:inspec)
-  end
-
-  def id
-    return @instance_id if defined?(@instance_id)
-
-    catch_aws_errors do
-      if @opts.is_a?(Hash)
-        first = @ec2_resource.instances(
-          {
-            filters: [{
-              name: "tag:Name",
-              values: [@opts[:name]],
-            }],
-          }
-        ).first
-        # catch case where the instance is not known
-        @instance_id = first.id unless first.nil?
-      else
-        @instance_id = @opts
-      end
-    end
-  end
-  alias instance_id id
-
-  def exists?
-    return false if instance.nil?
-
-    instance.exists?
-  end
-
-  # returns the instance state
-  def state
-    catch_aws_errors do
-      instance&.state&.name
-    end
-  end
-
-  # helper methods for each state
-  %w{
-    pending running shutting-down
-    terminated stopping stopped unknown
-  }.each do |state_name|
-    define_method state_name.tr("-", "_") + "?" do
-      state == state_name
-    end
-  end
-
-  # attributes that we want to expose
-  %w{
-    public_ip_address private_ip_address key_name private_dns_name
-    public_dns_name subnet_id architecture root_device_type
-    root_device_name virtualization_type client_token launch_time
-    instance_type image_id vpc_id
-  }.each do |attribute|
-    define_method attribute do
-      catch_aws_errors do
-        instance.send(attribute) if instance
-      end
-    end
-  end
-
-  # Don't document this - it's a bit hard to use.  Our current doctrine
-  # is to use dumb things, like arrays of strings - use security_group_ids instead.
-  def security_groups
-    catch_aws_errors do
-      @security_groups ||= instance.security_groups.map do |sg|
-        { id: sg.group_id, name: sg.group_name }
-      end
-    end
-  end
-
-  def security_group_ids
-    catch_aws_errors do
-      @security_group_ids ||= instance.security_groups.map(&:group_id)
-    end
-  end
-
-  def tags
-    catch_aws_errors do
-      @tags ||= instance.tags.map { |tag| { key: tag.key, value: tag.value } }
-    end
-  end
-
-  def to_s
-    "EC2 Instance #{@display_name}"
-  end
-
-  def has_roles?
-    catch_aws_errors do
-      instance_profile = instance.iam_instance_profile
-
-      if instance_profile
-        roles = @iam_resource.instance_profile(
-          instance_profile.arn.gsub(%r{^.*\/}, "")
-        ).roles
-      else
-        roles = nil
-      end
-
-      roles && !roles.empty?
-    end
-  end
-
-  private
-
-  def instance
-    catch_aws_errors { @instance ||= @ec2_resource.instance(id) }
-  end
-end

data/lib/resources/aws/aws_ec2_instances.rb

@@ -1,69 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsEc2Instances < Inspec.resource(1)
-  name "aws_ec2_instances"
-  desc "Verifies settings for AWS EC2 Instances in bulk"
-  example <<~EXAMPLE
-    describe aws_ec2_instances do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-  def validate_params(resource_params)
-    unless resource_params.empty?
-      raise ArgumentError, "aws_ec2_instances does not accept resource parameters."
-    end
-
-    resource_params
-  end
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-  filter.register_column(:instance_ids, field: :instance_id)
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def to_s
-    "EC2 Instances"
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @table = []
-    pagination_opts = {}
-    loop do
-      api_result = backend.describe_instances(pagination_opts)
-      @table += unpack_describe_instances_response(api_result.reservations)
-      break unless api_result.next_token
-
-      pagination_opts = { next_token: api_result.next_token }
-    end
-  end
-
-  def unpack_describe_instances_response(reservations)
-    instance_rows = []
-    reservations.each do |res|
-      instance_rows += res.instances.map do |instance_struct|
-        {
-          instance_id: instance_struct.instance_id,
-        }
-      end
-    end
-    instance_rows
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::EC2::Client
-
-      def describe_instances(query)
-        aws_service_client.describe_instances(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_ecs_cluster.rb

@@ -1,87 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ecs"
-
-class AwsEcsCluster < Inspec.resource(1)
-  name "aws_ecs_cluster"
-  desc "Verifies settings for an ECS cluster"
-
-  example <<~EXAMPLE
-    describe aws_ecs_cluster('default') do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :cluster_arn, :cluster_name, :status,
-              :registered_container_instances_count, :running_tasks_count,
-              :pending_tasks_count, :active_services_count, :statistics
-
-  def to_s
-    "AWS ECS cluster #{cluster_name}"
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:cluster_name],
-      allowed_scalar_name: :cluster_name,
-      allowed_scalar_type: String
-    )
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-
-    # Use default cluster if no cluster name is specified
-    params = cluster_name.nil? ? {} : { clusters: [cluster_name] }
-    clusters = backend.describe_clusters(params).clusters
-
-    # Cluster name is unique, we either get back one cluster, or none
-    if clusters.length == 1
-      @exists = true
-      unpack_describe_clusters_response(clusters.first)
-    else
-      @exists = false
-      populate_as_missing
-    end
-  end
-
-  def unpack_describe_clusters_response(cluster_struct)
-    @cluster_arn = cluster_struct.cluster_arn
-    @cluster_name = cluster_struct.cluster_name
-    @status = cluster_struct.status
-    @registered_container_instances_count = cluster_struct.registered_container_instances_count
-    @running_tasks_count = cluster_struct.running_tasks_count
-    @pending_tasks_count = cluster_struct.pending_tasks_count
-    @active_services_count = cluster_struct.active_services_count
-    @statistics = cluster_struct.statistics
-  end
-
-  def populate_as_missing
-    @cluster_arn = ""
-    @cluster_name = ""
-    @status = ""
-    @registered_container_instances_count = 0
-    @running_tasks_count = 0
-    @pending_tasks_count = 0
-    @active_services_count = 0
-    @statistics = []
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::ECS::Client
-
-      def describe_clusters(query = {})
-        aws_service_client.describe_clusters(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_eks_cluster.rb

@@ -1,105 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-eks"
-
-class AwsEksCluster < Inspec.resource(1)
-  name "aws_eks_cluster"
-  desc "Verifies settings for an EKS cluster"
-
-  example <<~EXAMPLE
-    describe aws_eks_cluster('default') do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :version, :arn, :cluster_name, :certificate_authority, :name,
-              :status, :endpoint, :subnets_count, :subnet_ids, :security_group_ids,
-              :created_at, :role_arn, :vpc_id, :security_groups_count, :creating,
-              :active, :failed, :deleting
-  # Use aliases for matchers
-  alias active? active
-  alias failed? failed
-  alias creating? creating
-  alias deleting? deleting
-
-  def to_s
-    "AWS EKS cluster #{cluster_name}"
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:cluster_name],
-      allowed_scalar_name: :cluster_name,
-      allowed_scalar_type: String
-    )
-
-    if validated_params.empty?
-      raise ArgumentError, "You must provide a cluster_name to aws_eks_cluster."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api # rubocop:disable Metrics/AbcSize
-    backend = BackendFactory.create(inspec_runner)
-    begin
-      params = { name: cluster_name }
-      resp = backend.describe_cluster(params)
-    rescue Aws::EKS::Errors::ResourceNotFoundException
-      @exists = false
-      populate_as_missing
-      return
-    end
-    @exists = true
-    cluster = resp.to_h[:cluster]
-    @version = cluster[:version]
-    @name = cluster[:name]
-    @arn = cluster[:arn]
-    @certificate_authority = cluster[:certificate_authority][:data]
-    @created_at = cluster[:created_at]
-    @endpoint = cluster[:endpoint]
-    @security_group_ids = cluster[:resources_vpc_config][:security_group_ids]
-    @subnet_ids = cluster[:resources_vpc_config][:subnet_ids]
-    @subnets_count = cluster[:resources_vpc_config][:subnet_ids].length
-    @security_groups_count = cluster[:resources_vpc_config][:security_group_ids].length
-    @vpc_id = cluster[:resources_vpc_config][:vpc_id]
-    @role_arn = cluster[:role_arn]
-    @status = cluster[:status]
-    @active = cluster[:status] == "ACTIVE"
-    @failed = cluster[:status] == "FAILED"
-    @creating = cluster[:status] == "CREATING"
-    @deleting = cluster[:status] == "DELETING"
-  end
-
-  def populate_as_missing
-    @version = nil
-    @name = cluster_name # name is an alias for cluster_name, and it is retained on a miss
-    @arn = nil
-    @certificate_authority = nil
-    @created_at = nil
-    @endpoint = nil
-    @security_group_ids = []
-    @subnet_ids = []
-    @subnets_count = nil
-    @security_groups_count = nil
-    @vpc_id = nil
-    @role_arn = nil
-    @status = nil
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::EKS::Client
-
-      def describe_cluster(query = {})
-        aws_service_client.describe_cluster(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_elb.rb

@@ -1,85 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-elasticloadbalancing"
-
-class AwsElb < Inspec.resource(1)
-  name "aws_elb"
-  desc "Verifies settings for AWS Elastic Load Balancer"
-  example <<~EXAMPLE
-    describe aws_elb('myelb') do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :availability_zones, :dns_name, :elb_name, :external_ports,
-              :instance_ids, :internal_ports, :security_group_ids,
-              :subnet_ids, :vpc_id
-
-  def to_s
-    "AWS ELB #{elb_name}"
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:elb_name],
-      allowed_scalar_name: :elb_name,
-      allowed_scalar_type: String
-    )
-
-    if validated_params.empty?
-      raise ArgumentError, "You must provide a elb_name to aws_elb."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    begin
-      lbs = backend.describe_load_balancers(load_balancer_names: [elb_name]).load_balancer_descriptions
-      @exists = true
-      # Load balancer names are uniq; we will either have 0 or 1 result
-      unpack_describe_elbs_response(lbs.first)
-    rescue Aws::ElasticLoadBalancing::Errors::LoadBalancerNotFound
-      @exists = false
-      populate_as_missing
-    end
-  end
-
-  def unpack_describe_elbs_response(lb_struct)
-    @availability_zones = lb_struct.availability_zones
-    @dns_name = lb_struct.dns_name
-    @external_ports = lb_struct.listener_descriptions.map { |ld| ld.listener.load_balancer_port }
-    @instance_ids = lb_struct.instances.map(&:instance_id)
-    @internal_ports = lb_struct.listener_descriptions.map { |ld| ld.listener.instance_port }
-    @elb_name = lb_struct.load_balancer_name
-    @security_group_ids = lb_struct.security_groups
-    @subnet_ids = lb_struct.subnets
-    @vpc_id = lb_struct.vpc_id
-  end
-
-  def populate_as_missing
-    @availability_zones = []
-    @external_ports = []
-    @instance_ids = []
-    @internal_ports = []
-    @security_group_ids = []
-    @subnet_ids = []
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::ElasticLoadBalancing::Client
-
-      def describe_load_balancers(query = {})
-        aws_service_client.describe_load_balancers(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_elbs.rb

@@ -1,84 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-elasticloadbalancing"
-
-class AwsElbs < Inspec.resource(1)
-  name "aws_elbs"
-  desc "Verifies settings for AWS ELBs (classic Elastic Load Balancers) in bulk"
-  example <<~EXAMPLE
-    describe aws_elbs do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-  def validate_params(resource_params)
-    unless resource_params.empty?
-      raise ArgumentError, "aws_elbs does not accept resource parameters."
-    end
-
-    resource_params
-  end
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.add_accessor(:entries)
-    .add_accessor(:where)
-    .add(:exists?) { |table| !table.params.empty? }
-    .add(:count) { |table| table.params.count }
-    .add(:availability_zones, field: :availability_zones, style: :simple)
-    .add(:dns_names, field: :dns_name)
-    .add(:external_ports, field: :external_ports, style: :simple)
-    .add(:instance_ids, field: :instance_ids, style: :simple)
-    .add(:internal_ports, field: :internal_ports, style: :simple)
-    .add(:elb_names, field: :elb_name)
-    .add(:security_group_ids, field: :security_group_ids, style: :simple)
-    .add(:subnet_ids, field: :subnet_ids, style: :simple)
-    .add(:vpc_ids, field: :vpc_id, style: :simple)
-  filter.connect(self, :table)
-
-  def to_s
-    "AWS ELBs"
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @table = []
-    pagination_opts = {}
-    loop do
-      api_result = backend.describe_load_balancers(pagination_opts)
-      @table += unpack_describe_elbs_response(api_result.load_balancer_descriptions)
-      break unless api_result.next_marker
-
-      pagination_opts = { marker: api_result.next_marker }
-    end
-  end
-
-  def unpack_describe_elbs_response(load_balancers)
-    load_balancers.map do |lb_struct|
-      {
-        availability_zones: lb_struct.availability_zones,
-        dns_name: lb_struct.dns_name,
-        external_ports: lb_struct.listener_descriptions.map { |ld| ld.listener.load_balancer_port },
-        instance_ids: lb_struct.instances.map(&:instance_id),
-        internal_ports: lb_struct.listener_descriptions.map { |ld| ld.listener.instance_port },
-        elb_name: lb_struct.load_balancer_name,
-        security_group_ids: lb_struct.security_groups,
-        subnet_ids: lb_struct.subnets,
-        vpc_id: lb_struct.vpc_id,
-      }
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::ElasticLoadBalancing::Client
-
-      def describe_load_balancers(query = {})
-        aws_service_client.describe_load_balancers(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_flow_log.rb

@@ -1,106 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsFlowLog < Inspec.resource(1)
-  name "aws_flow_log"
-  supports platform: "aws"
-  desc "This resource is used to test the attributes of a Flow Log."
-  example <<~EXAMPLE
-    describe aws_flow_log('fl-9c718cf5') do
-      it { should exist }
-    end
-  EXAMPLE
-
-  include AwsSingularResourceMixin
-
-  def to_s
-    "AWS Flow Log #{id}"
-  end
-
-  def resource_type
-    case @resource_id
-    when /^eni/
-      @resource_type = "eni"
-    when /^subnet/
-      @resource_type = "subnet"
-    when /^vpc/
-      @resource_type = "vpc"
-    end
-  end
-
-  def attached_to_eni?
-    resource_type.eql?("eni") ? true : false
-  end
-
-  def attached_to_subnet?
-    resource_type.eql?("subnet") ? true : false
-  end
-
-  def attached_to_vpc?
-    resource_type.eql?("vpc") ? true : false
-  end
-
-  attr_reader :log_group_name, :resource_id, :flow_log_id
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: %i{flow_log_id subnet_id vpc_id},
-      allowed_scalar_name: :flow_log_id,
-      allowed_scalar_type: String
-    )
-
-    if validated_params.empty?
-      raise ArgumentError,
-            "aws_flow_log requires a parameter: flow_log_id, subnet_id, or vpc_id"
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-
-    resp = backend.describe_flow_logs(filter_args)
-    flow_log = resp.to_h[:flow_logs].first
-    @exists = !flow_log.nil?
-    unless flow_log.nil?
-      @log_group_name = flow_log[:log_group_name]
-      @resource_id = flow_log[:resource_id]
-      @flow_log_id = flow_log[:flow_log_id]
-    end
-  end
-
-  def filter_args
-    if @flow_log_id
-      { filter: [{ name: "flow-log-id", values: [@flow_log_id] }] }
-    elsif @subnet_id || @vpc_id
-      filter = @subnet_id || @vpc_id
-      { filter: [{ name: "resource-id", values: [filter] }] }
-    end
-  end
-
-  def id
-    return @flow_log_id if @flow_log_id
-    return @subnet_id if @subnet_id
-    return @vpc_id if @vpc_id
-  end
-
-  def backend
-    BackendFactory.create(inspec_runner)
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      AwsFlowLog::BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::EC2::Client
-
-      def describe_flow_logs(query)
-        aws_service_client.describe_flow_logs(query)
-      end
-    end
-  end
-end