inspec 4.56.58 → 5.7.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +24 -9
- data/inspec.gemspec +5 -2
- data/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml +1 -1
- metadata +21 -64
- data/lib/resource_support/aws/aws_backend_base.rb +0 -12
- data/lib/resource_support/aws/aws_backend_factory_mixin.rb +0 -12
- data/lib/resource_support/aws/aws_plural_resource_mixin.rb +0 -24
- data/lib/resource_support/aws/aws_resource_mixin.rb +0 -69
- data/lib/resource_support/aws/aws_singular_resource_mixin.rb +0 -27
- data/lib/resource_support/aws.rb +0 -76
- data/lib/resources/aws/aws_billing_report.rb +0 -105
- data/lib/resources/aws/aws_billing_reports.rb +0 -74
- data/lib/resources/aws/aws_cloudtrail_trail.rb +0 -97
- data/lib/resources/aws/aws_cloudtrail_trails.rb +0 -51
- data/lib/resources/aws/aws_cloudwatch_alarm.rb +0 -67
- data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +0 -105
- data/lib/resources/aws/aws_config_delivery_channel.rb +0 -74
- data/lib/resources/aws/aws_config_recorder.rb +0 -99
- data/lib/resources/aws/aws_ebs_volume.rb +0 -127
- data/lib/resources/aws/aws_ebs_volumes.rb +0 -69
- data/lib/resources/aws/aws_ec2_instance.rb +0 -162
- data/lib/resources/aws/aws_ec2_instances.rb +0 -69
- data/lib/resources/aws/aws_ecs_cluster.rb +0 -87
- data/lib/resources/aws/aws_eks_cluster.rb +0 -105
- data/lib/resources/aws/aws_elb.rb +0 -85
- data/lib/resources/aws/aws_elbs.rb +0 -84
- data/lib/resources/aws/aws_flow_log.rb +0 -106
- data/lib/resources/aws/aws_iam_access_key.rb +0 -112
- data/lib/resources/aws/aws_iam_access_keys.rb +0 -153
- data/lib/resources/aws/aws_iam_group.rb +0 -62
- data/lib/resources/aws/aws_iam_groups.rb +0 -56
- data/lib/resources/aws/aws_iam_password_policy.rb +0 -121
- data/lib/resources/aws/aws_iam_policies.rb +0 -57
- data/lib/resources/aws/aws_iam_policy.rb +0 -311
- data/lib/resources/aws/aws_iam_role.rb +0 -60
- data/lib/resources/aws/aws_iam_root_user.rb +0 -82
- data/lib/resources/aws/aws_iam_user.rb +0 -145
- data/lib/resources/aws/aws_iam_users.rb +0 -160
- data/lib/resources/aws/aws_kms_key.rb +0 -100
- data/lib/resources/aws/aws_kms_keys.rb +0 -58
- data/lib/resources/aws/aws_rds_instance.rb +0 -74
- data/lib/resources/aws/aws_route_table.rb +0 -67
- data/lib/resources/aws/aws_route_tables.rb +0 -64
- data/lib/resources/aws/aws_s3_bucket.rb +0 -141
- data/lib/resources/aws/aws_s3_bucket_object.rb +0 -87
- data/lib/resources/aws/aws_s3_buckets.rb +0 -52
- data/lib/resources/aws/aws_security_group.rb +0 -314
- data/lib/resources/aws/aws_security_groups.rb +0 -71
- data/lib/resources/aws/aws_sns_subscription.rb +0 -82
- data/lib/resources/aws/aws_sns_topic.rb +0 -57
- data/lib/resources/aws/aws_sns_topics.rb +0 -60
- data/lib/resources/aws/aws_sqs_queue.rb +0 -66
- data/lib/resources/aws/aws_subnet.rb +0 -92
- data/lib/resources/aws/aws_subnets.rb +0 -56
- data/lib/resources/aws/aws_vpc.rb +0 -77
- data/lib/resources/aws/aws_vpcs.rb +0 -55
- data/lib/resources/azure/azure_backend.rb +0 -379
- data/lib/resources/azure/azure_generic_resource.rb +0 -55
- data/lib/resources/azure/azure_resource_group.rb +0 -151
- data/lib/resources/azure/azure_virtual_machine.rb +0 -262
- data/lib/resources/azure/azure_virtual_machine_data_disk.rb +0 -131
@@ -1,162 +0,0 @@
|
|
1
|
-
require "resource_support/aws/aws_singular_resource_mixin"
|
2
|
-
require "resource_support/aws/aws_backend_base"
|
3
|
-
require "aws-sdk-ec2"
|
4
|
-
|
5
|
-
class AwsEc2Instance < Inspec.resource(1)
|
6
|
-
name "aws_ec2_instance"
|
7
|
-
desc "Verifies settings for an EC2 instance"
|
8
|
-
|
9
|
-
example <<~EXAMPLE
|
10
|
-
describe aws_ec2_instance('i-123456') do
|
11
|
-
it { should be_running }
|
12
|
-
it { should have_roles }
|
13
|
-
end
|
14
|
-
|
15
|
-
describe aws_ec2_instance(name: 'my-instance') do
|
16
|
-
it { should be_running }
|
17
|
-
it { should have_roles }
|
18
|
-
end
|
19
|
-
EXAMPLE
|
20
|
-
supports platform: "aws"
|
21
|
-
|
22
|
-
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
|
23
|
-
def initialize(opts, conn = nil)
|
24
|
-
@opts = opts
|
25
|
-
@opts.is_a?(Hash) ? @display_name = @opts[:name] : @display_name = opts
|
26
|
-
@ec2_client = conn ? conn.ec2_client : inspec_runner.backend.aws_client(Aws::EC2::Client)
|
27
|
-
@ec2_resource = conn ? conn.ec2_resource : inspec_runner.backend.aws_resource(Aws::EC2::Resource, {})
|
28
|
-
@iam_resource = conn ? conn.iam_resource : inspec_runner.backend.aws_resource(Aws::IAM::Resource, {})
|
29
|
-
end
|
30
|
-
|
31
|
-
# TODO: DRY up, see https://github.com/chef/inspec/issues/2633
|
32
|
-
# Copied from resource_support/aws/aws_resource_mixin.rb
|
33
|
-
def catch_aws_errors
|
34
|
-
yield
|
35
|
-
rescue Aws::Errors::MissingCredentialsError
|
36
|
-
# The AWS error here is unhelpful:
|
37
|
-
# "unable to sign request without credentials set"
|
38
|
-
Inspec::Log.error "It appears that you have not set your AWS credentials. You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target. See https://docs.chef.io/inspec/platforms/ for details."
|
39
|
-
fail_resource("No AWS credentials available")
|
40
|
-
rescue Aws::Errors::ServiceError => e
|
41
|
-
fail_resource e.message
|
42
|
-
end
|
43
|
-
|
44
|
-
# TODO: DRY up, see https://github.com/chef/inspec/issues/2633
|
45
|
-
# Copied from resource_support/aws/aws_singular_resource_mixin.rb
|
46
|
-
def inspec_runner
|
47
|
-
# When running under inspec-cli, we have an 'inspec' method that
|
48
|
-
# returns the runner. When running under unit tests, we don't
|
49
|
-
# have that, but we still have to call this to pass something
|
50
|
-
# (nil is OK) to the backend.
|
51
|
-
# TODO: remove with https://github.com/chef/inspec-aws/issues/216
|
52
|
-
# TODO: remove after rewrite to include AwsSingularResource
|
53
|
-
inspec if respond_to?(:inspec)
|
54
|
-
end
|
55
|
-
|
56
|
-
def id
|
57
|
-
return @instance_id if defined?(@instance_id)
|
58
|
-
|
59
|
-
catch_aws_errors do
|
60
|
-
if @opts.is_a?(Hash)
|
61
|
-
first = @ec2_resource.instances(
|
62
|
-
{
|
63
|
-
filters: [{
|
64
|
-
name: "tag:Name",
|
65
|
-
values: [@opts[:name]],
|
66
|
-
}],
|
67
|
-
}
|
68
|
-
).first
|
69
|
-
# catch case where the instance is not known
|
70
|
-
@instance_id = first.id unless first.nil?
|
71
|
-
else
|
72
|
-
@instance_id = @opts
|
73
|
-
end
|
74
|
-
end
|
75
|
-
end
|
76
|
-
alias instance_id id
|
77
|
-
|
78
|
-
def exists?
|
79
|
-
return false if instance.nil?
|
80
|
-
|
81
|
-
instance.exists?
|
82
|
-
end
|
83
|
-
|
84
|
-
# returns the instance state
|
85
|
-
def state
|
86
|
-
catch_aws_errors do
|
87
|
-
instance&.state&.name
|
88
|
-
end
|
89
|
-
end
|
90
|
-
|
91
|
-
# helper methods for each state
|
92
|
-
%w{
|
93
|
-
pending running shutting-down
|
94
|
-
terminated stopping stopped unknown
|
95
|
-
}.each do |state_name|
|
96
|
-
define_method state_name.tr("-", "_") + "?" do
|
97
|
-
state == state_name
|
98
|
-
end
|
99
|
-
end
|
100
|
-
|
101
|
-
# attributes that we want to expose
|
102
|
-
%w{
|
103
|
-
public_ip_address private_ip_address key_name private_dns_name
|
104
|
-
public_dns_name subnet_id architecture root_device_type
|
105
|
-
root_device_name virtualization_type client_token launch_time
|
106
|
-
instance_type image_id vpc_id
|
107
|
-
}.each do |attribute|
|
108
|
-
define_method attribute do
|
109
|
-
catch_aws_errors do
|
110
|
-
instance.send(attribute) if instance
|
111
|
-
end
|
112
|
-
end
|
113
|
-
end
|
114
|
-
|
115
|
-
# Don't document this - it's a bit hard to use. Our current doctrine
|
116
|
-
# is to use dumb things, like arrays of strings - use security_group_ids instead.
|
117
|
-
def security_groups
|
118
|
-
catch_aws_errors do
|
119
|
-
@security_groups ||= instance.security_groups.map do |sg|
|
120
|
-
{ id: sg.group_id, name: sg.group_name }
|
121
|
-
end
|
122
|
-
end
|
123
|
-
end
|
124
|
-
|
125
|
-
def security_group_ids
|
126
|
-
catch_aws_errors do
|
127
|
-
@security_group_ids ||= instance.security_groups.map(&:group_id)
|
128
|
-
end
|
129
|
-
end
|
130
|
-
|
131
|
-
def tags
|
132
|
-
catch_aws_errors do
|
133
|
-
@tags ||= instance.tags.map { |tag| { key: tag.key, value: tag.value } }
|
134
|
-
end
|
135
|
-
end
|
136
|
-
|
137
|
-
def to_s
|
138
|
-
"EC2 Instance #{@display_name}"
|
139
|
-
end
|
140
|
-
|
141
|
-
def has_roles?
|
142
|
-
catch_aws_errors do
|
143
|
-
instance_profile = instance.iam_instance_profile
|
144
|
-
|
145
|
-
if instance_profile
|
146
|
-
roles = @iam_resource.instance_profile(
|
147
|
-
instance_profile.arn.gsub(%r{^.*\/}, "")
|
148
|
-
).roles
|
149
|
-
else
|
150
|
-
roles = nil
|
151
|
-
end
|
152
|
-
|
153
|
-
roles && !roles.empty?
|
154
|
-
end
|
155
|
-
end
|
156
|
-
|
157
|
-
private
|
158
|
-
|
159
|
-
def instance
|
160
|
-
catch_aws_errors { @instance ||= @ec2_resource.instance(id) }
|
161
|
-
end
|
162
|
-
end
|
@@ -1,69 +0,0 @@
|
|
1
|
-
require "resource_support/aws/aws_plural_resource_mixin"
|
2
|
-
require "resource_support/aws/aws_backend_base"
|
3
|
-
require "aws-sdk-ec2"
|
4
|
-
|
5
|
-
class AwsEc2Instances < Inspec.resource(1)
|
6
|
-
name "aws_ec2_instances"
|
7
|
-
desc "Verifies settings for AWS EC2 Instances in bulk"
|
8
|
-
example <<~EXAMPLE
|
9
|
-
describe aws_ec2_instances do
|
10
|
-
it { should exist }
|
11
|
-
end
|
12
|
-
EXAMPLE
|
13
|
-
supports platform: "aws"
|
14
|
-
|
15
|
-
include AwsPluralResourceMixin
|
16
|
-
def validate_params(resource_params)
|
17
|
-
unless resource_params.empty?
|
18
|
-
raise ArgumentError, "aws_ec2_instances does not accept resource parameters."
|
19
|
-
end
|
20
|
-
|
21
|
-
resource_params
|
22
|
-
end
|
23
|
-
|
24
|
-
# Underlying FilterTable implementation.
|
25
|
-
filter = FilterTable.create
|
26
|
-
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
27
|
-
filter.register_column(:instance_ids, field: :instance_id)
|
28
|
-
filter.install_filter_methods_on_resource(self, :table)
|
29
|
-
|
30
|
-
def to_s
|
31
|
-
"EC2 Instances"
|
32
|
-
end
|
33
|
-
|
34
|
-
def fetch_from_api
|
35
|
-
backend = BackendFactory.create(inspec_runner)
|
36
|
-
@table = []
|
37
|
-
pagination_opts = {}
|
38
|
-
loop do
|
39
|
-
api_result = backend.describe_instances(pagination_opts)
|
40
|
-
@table += unpack_describe_instances_response(api_result.reservations)
|
41
|
-
break unless api_result.next_token
|
42
|
-
|
43
|
-
pagination_opts = { next_token: api_result.next_token }
|
44
|
-
end
|
45
|
-
end
|
46
|
-
|
47
|
-
def unpack_describe_instances_response(reservations)
|
48
|
-
instance_rows = []
|
49
|
-
reservations.each do |res|
|
50
|
-
instance_rows += res.instances.map do |instance_struct|
|
51
|
-
{
|
52
|
-
instance_id: instance_struct.instance_id,
|
53
|
-
}
|
54
|
-
end
|
55
|
-
end
|
56
|
-
instance_rows
|
57
|
-
end
|
58
|
-
|
59
|
-
class Backend
|
60
|
-
class AwsClientApi < AwsBackendBase
|
61
|
-
BackendFactory.set_default_backend(self)
|
62
|
-
self.aws_client_class = Aws::EC2::Client
|
63
|
-
|
64
|
-
def describe_instances(query)
|
65
|
-
aws_service_client.describe_instances(query)
|
66
|
-
end
|
67
|
-
end
|
68
|
-
end
|
69
|
-
end
|
@@ -1,87 +0,0 @@
|
|
1
|
-
require "resource_support/aws/aws_singular_resource_mixin"
|
2
|
-
require "resource_support/aws/aws_backend_base"
|
3
|
-
require "aws-sdk-ecs"
|
4
|
-
|
5
|
-
class AwsEcsCluster < Inspec.resource(1)
|
6
|
-
name "aws_ecs_cluster"
|
7
|
-
desc "Verifies settings for an ECS cluster"
|
8
|
-
|
9
|
-
example <<~EXAMPLE
|
10
|
-
describe aws_ecs_cluster('default') do
|
11
|
-
it { should exist }
|
12
|
-
end
|
13
|
-
EXAMPLE
|
14
|
-
supports platform: "aws"
|
15
|
-
|
16
|
-
include AwsSingularResourceMixin
|
17
|
-
attr_reader :cluster_arn, :cluster_name, :status,
|
18
|
-
:registered_container_instances_count, :running_tasks_count,
|
19
|
-
:pending_tasks_count, :active_services_count, :statistics
|
20
|
-
|
21
|
-
def to_s
|
22
|
-
"AWS ECS cluster #{cluster_name}"
|
23
|
-
end
|
24
|
-
|
25
|
-
private
|
26
|
-
|
27
|
-
def validate_params(raw_params)
|
28
|
-
validated_params = check_resource_param_names(
|
29
|
-
raw_params: raw_params,
|
30
|
-
allowed_params: [:cluster_name],
|
31
|
-
allowed_scalar_name: :cluster_name,
|
32
|
-
allowed_scalar_type: String
|
33
|
-
)
|
34
|
-
|
35
|
-
validated_params
|
36
|
-
end
|
37
|
-
|
38
|
-
def fetch_from_api
|
39
|
-
backend = BackendFactory.create(inspec_runner)
|
40
|
-
|
41
|
-
# Use default cluster if no cluster name is specified
|
42
|
-
params = cluster_name.nil? ? {} : { clusters: [cluster_name] }
|
43
|
-
clusters = backend.describe_clusters(params).clusters
|
44
|
-
|
45
|
-
# Cluster name is unique, we either get back one cluster, or none
|
46
|
-
if clusters.length == 1
|
47
|
-
@exists = true
|
48
|
-
unpack_describe_clusters_response(clusters.first)
|
49
|
-
else
|
50
|
-
@exists = false
|
51
|
-
populate_as_missing
|
52
|
-
end
|
53
|
-
end
|
54
|
-
|
55
|
-
def unpack_describe_clusters_response(cluster_struct)
|
56
|
-
@cluster_arn = cluster_struct.cluster_arn
|
57
|
-
@cluster_name = cluster_struct.cluster_name
|
58
|
-
@status = cluster_struct.status
|
59
|
-
@registered_container_instances_count = cluster_struct.registered_container_instances_count
|
60
|
-
@running_tasks_count = cluster_struct.running_tasks_count
|
61
|
-
@pending_tasks_count = cluster_struct.pending_tasks_count
|
62
|
-
@active_services_count = cluster_struct.active_services_count
|
63
|
-
@statistics = cluster_struct.statistics
|
64
|
-
end
|
65
|
-
|
66
|
-
def populate_as_missing
|
67
|
-
@cluster_arn = ""
|
68
|
-
@cluster_name = ""
|
69
|
-
@status = ""
|
70
|
-
@registered_container_instances_count = 0
|
71
|
-
@running_tasks_count = 0
|
72
|
-
@pending_tasks_count = 0
|
73
|
-
@active_services_count = 0
|
74
|
-
@statistics = []
|
75
|
-
end
|
76
|
-
|
77
|
-
class Backend
|
78
|
-
class AwsClientApi < AwsBackendBase
|
79
|
-
BackendFactory.set_default_backend(self)
|
80
|
-
self.aws_client_class = Aws::ECS::Client
|
81
|
-
|
82
|
-
def describe_clusters(query = {})
|
83
|
-
aws_service_client.describe_clusters(query)
|
84
|
-
end
|
85
|
-
end
|
86
|
-
end
|
87
|
-
end
|
@@ -1,105 +0,0 @@
|
|
1
|
-
require "resource_support/aws/aws_singular_resource_mixin"
|
2
|
-
require "resource_support/aws/aws_backend_base"
|
3
|
-
require "aws-sdk-eks"
|
4
|
-
|
5
|
-
class AwsEksCluster < Inspec.resource(1)
|
6
|
-
name "aws_eks_cluster"
|
7
|
-
desc "Verifies settings for an EKS cluster"
|
8
|
-
|
9
|
-
example <<~EXAMPLE
|
10
|
-
describe aws_eks_cluster('default') do
|
11
|
-
it { should exist }
|
12
|
-
end
|
13
|
-
EXAMPLE
|
14
|
-
supports platform: "aws"
|
15
|
-
|
16
|
-
include AwsSingularResourceMixin
|
17
|
-
attr_reader :version, :arn, :cluster_name, :certificate_authority, :name,
|
18
|
-
:status, :endpoint, :subnets_count, :subnet_ids, :security_group_ids,
|
19
|
-
:created_at, :role_arn, :vpc_id, :security_groups_count, :creating,
|
20
|
-
:active, :failed, :deleting
|
21
|
-
# Use aliases for matchers
|
22
|
-
alias active? active
|
23
|
-
alias failed? failed
|
24
|
-
alias creating? creating
|
25
|
-
alias deleting? deleting
|
26
|
-
|
27
|
-
def to_s
|
28
|
-
"AWS EKS cluster #{cluster_name}"
|
29
|
-
end
|
30
|
-
|
31
|
-
private
|
32
|
-
|
33
|
-
def validate_params(raw_params)
|
34
|
-
validated_params = check_resource_param_names(
|
35
|
-
raw_params: raw_params,
|
36
|
-
allowed_params: [:cluster_name],
|
37
|
-
allowed_scalar_name: :cluster_name,
|
38
|
-
allowed_scalar_type: String
|
39
|
-
)
|
40
|
-
|
41
|
-
if validated_params.empty?
|
42
|
-
raise ArgumentError, "You must provide a cluster_name to aws_eks_cluster."
|
43
|
-
end
|
44
|
-
|
45
|
-
validated_params
|
46
|
-
end
|
47
|
-
|
48
|
-
def fetch_from_api # rubocop:disable Metrics/AbcSize
|
49
|
-
backend = BackendFactory.create(inspec_runner)
|
50
|
-
begin
|
51
|
-
params = { name: cluster_name }
|
52
|
-
resp = backend.describe_cluster(params)
|
53
|
-
rescue Aws::EKS::Errors::ResourceNotFoundException
|
54
|
-
@exists = false
|
55
|
-
populate_as_missing
|
56
|
-
return
|
57
|
-
end
|
58
|
-
@exists = true
|
59
|
-
cluster = resp.to_h[:cluster]
|
60
|
-
@version = cluster[:version]
|
61
|
-
@name = cluster[:name]
|
62
|
-
@arn = cluster[:arn]
|
63
|
-
@certificate_authority = cluster[:certificate_authority][:data]
|
64
|
-
@created_at = cluster[:created_at]
|
65
|
-
@endpoint = cluster[:endpoint]
|
66
|
-
@security_group_ids = cluster[:resources_vpc_config][:security_group_ids]
|
67
|
-
@subnet_ids = cluster[:resources_vpc_config][:subnet_ids]
|
68
|
-
@subnets_count = cluster[:resources_vpc_config][:subnet_ids].length
|
69
|
-
@security_groups_count = cluster[:resources_vpc_config][:security_group_ids].length
|
70
|
-
@vpc_id = cluster[:resources_vpc_config][:vpc_id]
|
71
|
-
@role_arn = cluster[:role_arn]
|
72
|
-
@status = cluster[:status]
|
73
|
-
@active = cluster[:status] == "ACTIVE"
|
74
|
-
@failed = cluster[:status] == "FAILED"
|
75
|
-
@creating = cluster[:status] == "CREATING"
|
76
|
-
@deleting = cluster[:status] == "DELETING"
|
77
|
-
end
|
78
|
-
|
79
|
-
def populate_as_missing
|
80
|
-
@version = nil
|
81
|
-
@name = cluster_name # name is an alias for cluster_name, and it is retained on a miss
|
82
|
-
@arn = nil
|
83
|
-
@certificate_authority = nil
|
84
|
-
@created_at = nil
|
85
|
-
@endpoint = nil
|
86
|
-
@security_group_ids = []
|
87
|
-
@subnet_ids = []
|
88
|
-
@subnets_count = nil
|
89
|
-
@security_groups_count = nil
|
90
|
-
@vpc_id = nil
|
91
|
-
@role_arn = nil
|
92
|
-
@status = nil
|
93
|
-
end
|
94
|
-
|
95
|
-
class Backend
|
96
|
-
class AwsClientApi < AwsBackendBase
|
97
|
-
BackendFactory.set_default_backend(self)
|
98
|
-
self.aws_client_class = Aws::EKS::Client
|
99
|
-
|
100
|
-
def describe_cluster(query = {})
|
101
|
-
aws_service_client.describe_cluster(query)
|
102
|
-
end
|
103
|
-
end
|
104
|
-
end
|
105
|
-
end
|
@@ -1,85 +0,0 @@
|
|
1
|
-
require "resource_support/aws/aws_singular_resource_mixin"
|
2
|
-
require "resource_support/aws/aws_backend_base"
|
3
|
-
require "aws-sdk-elasticloadbalancing"
|
4
|
-
|
5
|
-
class AwsElb < Inspec.resource(1)
|
6
|
-
name "aws_elb"
|
7
|
-
desc "Verifies settings for AWS Elastic Load Balancer"
|
8
|
-
example <<~EXAMPLE
|
9
|
-
describe aws_elb('myelb') do
|
10
|
-
it { should exist }
|
11
|
-
end
|
12
|
-
EXAMPLE
|
13
|
-
supports platform: "aws"
|
14
|
-
|
15
|
-
include AwsSingularResourceMixin
|
16
|
-
attr_reader :availability_zones, :dns_name, :elb_name, :external_ports,
|
17
|
-
:instance_ids, :internal_ports, :security_group_ids,
|
18
|
-
:subnet_ids, :vpc_id
|
19
|
-
|
20
|
-
def to_s
|
21
|
-
"AWS ELB #{elb_name}"
|
22
|
-
end
|
23
|
-
|
24
|
-
private
|
25
|
-
|
26
|
-
def validate_params(raw_params)
|
27
|
-
validated_params = check_resource_param_names(
|
28
|
-
raw_params: raw_params,
|
29
|
-
allowed_params: [:elb_name],
|
30
|
-
allowed_scalar_name: :elb_name,
|
31
|
-
allowed_scalar_type: String
|
32
|
-
)
|
33
|
-
|
34
|
-
if validated_params.empty?
|
35
|
-
raise ArgumentError, "You must provide a elb_name to aws_elb."
|
36
|
-
end
|
37
|
-
|
38
|
-
validated_params
|
39
|
-
end
|
40
|
-
|
41
|
-
def fetch_from_api
|
42
|
-
backend = BackendFactory.create(inspec_runner)
|
43
|
-
begin
|
44
|
-
lbs = backend.describe_load_balancers(load_balancer_names: [elb_name]).load_balancer_descriptions
|
45
|
-
@exists = true
|
46
|
-
# Load balancer names are uniq; we will either have 0 or 1 result
|
47
|
-
unpack_describe_elbs_response(lbs.first)
|
48
|
-
rescue Aws::ElasticLoadBalancing::Errors::LoadBalancerNotFound
|
49
|
-
@exists = false
|
50
|
-
populate_as_missing
|
51
|
-
end
|
52
|
-
end
|
53
|
-
|
54
|
-
def unpack_describe_elbs_response(lb_struct)
|
55
|
-
@availability_zones = lb_struct.availability_zones
|
56
|
-
@dns_name = lb_struct.dns_name
|
57
|
-
@external_ports = lb_struct.listener_descriptions.map { |ld| ld.listener.load_balancer_port }
|
58
|
-
@instance_ids = lb_struct.instances.map(&:instance_id)
|
59
|
-
@internal_ports = lb_struct.listener_descriptions.map { |ld| ld.listener.instance_port }
|
60
|
-
@elb_name = lb_struct.load_balancer_name
|
61
|
-
@security_group_ids = lb_struct.security_groups
|
62
|
-
@subnet_ids = lb_struct.subnets
|
63
|
-
@vpc_id = lb_struct.vpc_id
|
64
|
-
end
|
65
|
-
|
66
|
-
def populate_as_missing
|
67
|
-
@availability_zones = []
|
68
|
-
@external_ports = []
|
69
|
-
@instance_ids = []
|
70
|
-
@internal_ports = []
|
71
|
-
@security_group_ids = []
|
72
|
-
@subnet_ids = []
|
73
|
-
end
|
74
|
-
|
75
|
-
class Backend
|
76
|
-
class AwsClientApi < AwsBackendBase
|
77
|
-
BackendFactory.set_default_backend(self)
|
78
|
-
self.aws_client_class = Aws::ElasticLoadBalancing::Client
|
79
|
-
|
80
|
-
def describe_load_balancers(query = {})
|
81
|
-
aws_service_client.describe_load_balancers(query)
|
82
|
-
end
|
83
|
-
end
|
84
|
-
end
|
85
|
-
end
|
@@ -1,84 +0,0 @@
|
|
1
|
-
require "resource_support/aws/aws_plural_resource_mixin"
|
2
|
-
require "resource_support/aws/aws_backend_base"
|
3
|
-
require "aws-sdk-elasticloadbalancing"
|
4
|
-
|
5
|
-
class AwsElbs < Inspec.resource(1)
|
6
|
-
name "aws_elbs"
|
7
|
-
desc "Verifies settings for AWS ELBs (classic Elastic Load Balancers) in bulk"
|
8
|
-
example <<~EXAMPLE
|
9
|
-
describe aws_elbs do
|
10
|
-
it { should exist }
|
11
|
-
end
|
12
|
-
EXAMPLE
|
13
|
-
supports platform: "aws"
|
14
|
-
|
15
|
-
include AwsPluralResourceMixin
|
16
|
-
def validate_params(resource_params)
|
17
|
-
unless resource_params.empty?
|
18
|
-
raise ArgumentError, "aws_elbs does not accept resource parameters."
|
19
|
-
end
|
20
|
-
|
21
|
-
resource_params
|
22
|
-
end
|
23
|
-
|
24
|
-
# Underlying FilterTable implementation.
|
25
|
-
filter = FilterTable.create
|
26
|
-
filter.add_accessor(:entries)
|
27
|
-
.add_accessor(:where)
|
28
|
-
.add(:exists?) { |table| !table.params.empty? }
|
29
|
-
.add(:count) { |table| table.params.count }
|
30
|
-
.add(:availability_zones, field: :availability_zones, style: :simple)
|
31
|
-
.add(:dns_names, field: :dns_name)
|
32
|
-
.add(:external_ports, field: :external_ports, style: :simple)
|
33
|
-
.add(:instance_ids, field: :instance_ids, style: :simple)
|
34
|
-
.add(:internal_ports, field: :internal_ports, style: :simple)
|
35
|
-
.add(:elb_names, field: :elb_name)
|
36
|
-
.add(:security_group_ids, field: :security_group_ids, style: :simple)
|
37
|
-
.add(:subnet_ids, field: :subnet_ids, style: :simple)
|
38
|
-
.add(:vpc_ids, field: :vpc_id, style: :simple)
|
39
|
-
filter.connect(self, :table)
|
40
|
-
|
41
|
-
def to_s
|
42
|
-
"AWS ELBs"
|
43
|
-
end
|
44
|
-
|
45
|
-
def fetch_from_api
|
46
|
-
backend = BackendFactory.create(inspec_runner)
|
47
|
-
@table = []
|
48
|
-
pagination_opts = {}
|
49
|
-
loop do
|
50
|
-
api_result = backend.describe_load_balancers(pagination_opts)
|
51
|
-
@table += unpack_describe_elbs_response(api_result.load_balancer_descriptions)
|
52
|
-
break unless api_result.next_marker
|
53
|
-
|
54
|
-
pagination_opts = { marker: api_result.next_marker }
|
55
|
-
end
|
56
|
-
end
|
57
|
-
|
58
|
-
def unpack_describe_elbs_response(load_balancers)
|
59
|
-
load_balancers.map do |lb_struct|
|
60
|
-
{
|
61
|
-
availability_zones: lb_struct.availability_zones,
|
62
|
-
dns_name: lb_struct.dns_name,
|
63
|
-
external_ports: lb_struct.listener_descriptions.map { |ld| ld.listener.load_balancer_port },
|
64
|
-
instance_ids: lb_struct.instances.map(&:instance_id),
|
65
|
-
internal_ports: lb_struct.listener_descriptions.map { |ld| ld.listener.instance_port },
|
66
|
-
elb_name: lb_struct.load_balancer_name,
|
67
|
-
security_group_ids: lb_struct.security_groups,
|
68
|
-
subnet_ids: lb_struct.subnets,
|
69
|
-
vpc_id: lb_struct.vpc_id,
|
70
|
-
}
|
71
|
-
end
|
72
|
-
end
|
73
|
-
|
74
|
-
class Backend
|
75
|
-
class AwsClientApi < AwsBackendBase
|
76
|
-
BackendFactory.set_default_backend(self)
|
77
|
-
self.aws_client_class = Aws::ElasticLoadBalancing::Client
|
78
|
-
|
79
|
-
def describe_load_balancers(query = {})
|
80
|
-
aws_service_client.describe_load_balancers(query)
|
81
|
-
end
|
82
|
-
end
|
83
|
-
end
|
84
|
-
end
|
@@ -1,106 +0,0 @@
|
|
1
|
-
require "resource_support/aws/aws_singular_resource_mixin"
|
2
|
-
require "resource_support/aws/aws_backend_base"
|
3
|
-
require "aws-sdk-ec2"
|
4
|
-
|
5
|
-
class AwsFlowLog < Inspec.resource(1)
|
6
|
-
name "aws_flow_log"
|
7
|
-
supports platform: "aws"
|
8
|
-
desc "This resource is used to test the attributes of a Flow Log."
|
9
|
-
example <<~EXAMPLE
|
10
|
-
describe aws_flow_log('fl-9c718cf5') do
|
11
|
-
it { should exist }
|
12
|
-
end
|
13
|
-
EXAMPLE
|
14
|
-
|
15
|
-
include AwsSingularResourceMixin
|
16
|
-
|
17
|
-
def to_s
|
18
|
-
"AWS Flow Log #{id}"
|
19
|
-
end
|
20
|
-
|
21
|
-
def resource_type
|
22
|
-
case @resource_id
|
23
|
-
when /^eni/
|
24
|
-
@resource_type = "eni"
|
25
|
-
when /^subnet/
|
26
|
-
@resource_type = "subnet"
|
27
|
-
when /^vpc/
|
28
|
-
@resource_type = "vpc"
|
29
|
-
end
|
30
|
-
end
|
31
|
-
|
32
|
-
def attached_to_eni?
|
33
|
-
resource_type.eql?("eni") ? true : false
|
34
|
-
end
|
35
|
-
|
36
|
-
def attached_to_subnet?
|
37
|
-
resource_type.eql?("subnet") ? true : false
|
38
|
-
end
|
39
|
-
|
40
|
-
def attached_to_vpc?
|
41
|
-
resource_type.eql?("vpc") ? true : false
|
42
|
-
end
|
43
|
-
|
44
|
-
attr_reader :log_group_name, :resource_id, :flow_log_id
|
45
|
-
|
46
|
-
private
|
47
|
-
|
48
|
-
def validate_params(raw_params)
|
49
|
-
validated_params = check_resource_param_names(
|
50
|
-
raw_params: raw_params,
|
51
|
-
allowed_params: %i{flow_log_id subnet_id vpc_id},
|
52
|
-
allowed_scalar_name: :flow_log_id,
|
53
|
-
allowed_scalar_type: String
|
54
|
-
)
|
55
|
-
|
56
|
-
if validated_params.empty?
|
57
|
-
raise ArgumentError,
|
58
|
-
"aws_flow_log requires a parameter: flow_log_id, subnet_id, or vpc_id"
|
59
|
-
end
|
60
|
-
|
61
|
-
validated_params
|
62
|
-
end
|
63
|
-
|
64
|
-
def fetch_from_api
|
65
|
-
backend = BackendFactory.create(inspec_runner)
|
66
|
-
|
67
|
-
resp = backend.describe_flow_logs(filter_args)
|
68
|
-
flow_log = resp.to_h[:flow_logs].first
|
69
|
-
@exists = !flow_log.nil?
|
70
|
-
unless flow_log.nil?
|
71
|
-
@log_group_name = flow_log[:log_group_name]
|
72
|
-
@resource_id = flow_log[:resource_id]
|
73
|
-
@flow_log_id = flow_log[:flow_log_id]
|
74
|
-
end
|
75
|
-
end
|
76
|
-
|
77
|
-
def filter_args
|
78
|
-
if @flow_log_id
|
79
|
-
{ filter: [{ name: "flow-log-id", values: [@flow_log_id] }] }
|
80
|
-
elsif @subnet_id || @vpc_id
|
81
|
-
filter = @subnet_id || @vpc_id
|
82
|
-
{ filter: [{ name: "resource-id", values: [filter] }] }
|
83
|
-
end
|
84
|
-
end
|
85
|
-
|
86
|
-
def id
|
87
|
-
return @flow_log_id if @flow_log_id
|
88
|
-
return @subnet_id if @subnet_id
|
89
|
-
return @vpc_id if @vpc_id
|
90
|
-
end
|
91
|
-
|
92
|
-
def backend
|
93
|
-
BackendFactory.create(inspec_runner)
|
94
|
-
end
|
95
|
-
|
96
|
-
class Backend
|
97
|
-
class AwsClientApi < AwsBackendBase
|
98
|
-
AwsFlowLog::BackendFactory.set_default_backend(self)
|
99
|
-
self.aws_client_class = Aws::EC2::Client
|
100
|
-
|
101
|
-
def describe_flow_logs(query)
|
102
|
-
aws_service_client.describe_flow_logs(query)
|
103
|
-
end
|
104
|
-
end
|
105
|
-
end
|
106
|
-
end
|