-
Notifications
You must be signed in to change notification settings - Fork 106
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #664 from inspec/soumyo/aws_ec2_customer_gateway
soumyo/aws_ec2_customer_gateway
- Loading branch information
Showing
10 changed files
with
451 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| --- | ||
| title: About the aws_ec2_customer_gateway Resource | ||
| platform: aws | ||
| --- | ||
|
|
||
| # aws_ec2_customer_gateway | ||
|
|
||
| Use the `aws_ec2_customer_gateway` InSpec audit resource to test properties of a single AWS EC2 customer gateway. | ||
|
|
||
| The `AWS::EC2::CustomerGateway` resource type specifies a customer gateway. | ||
|
|
||
| ## Syntax | ||
|
|
||
| Ensure that the customer gateway Id exists. | ||
|
|
||
| describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do | ||
| it { should exist } | ||
| end | ||
|
|
||
| ## Parameters | ||
|
|
||
| `customer_gateway_id` _(required)_ | ||
|
|
||
| The ID of the customer gateway. | ||
|
|
||
| For additional information, see the [AWS documentation on AWS EC2 customer gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html). | ||
|
|
||
| ## Properties | ||
|
|
||
| | Property | Description | | ||
| | --- | --- | | ||
| | bgp_asn | The customer gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN). | | ||
| | customer_gateway_id | The ID of the customer gateway. | | ||
| | ip_address | The internet-routable IP address of the customer gateway's outside interface. | | ||
| | certificate_arn | The Amazon Resource Name (ARN) for the customer gateway certificate. | | ||
| | state | The current state of the customer gateway. | | ||
| | type | The type of VPN connection the customer gateway supports (ipsec.1). | | ||
| | device_name | The name of customer gateway device. | | ||
| | tags | Any tags assigned to the customer gateway. | | ||
|
|
||
| ## Examples | ||
|
|
||
| ### Ensure a customer gateway ID is available. | ||
|
|
||
| describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do | ||
| its('customer_gateway_id') { should eq 'CUSTOMER_GATEWAY_ID' } | ||
| end | ||
|
|
||
| ### Ensure that the state is `available`. | ||
|
|
||
| describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do | ||
| its('state') { should eq 'available' } | ||
| end | ||
|
|
||
| ## Matchers | ||
|
|
||
| This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). | ||
|
|
||
| The controls will pass if the `describe` method returns at least one result. | ||
|
|
||
| ### exist | ||
|
|
||
| Use `should` to test that the entity exists. | ||
|
|
||
| describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do | ||
| it { should exist } | ||
| end | ||
|
|
||
| Use `should_not` to test the entity does not exist. | ||
|
|
||
| describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do | ||
| it { should_not exist } | ||
| end | ||
|
|
||
| ### be_available | ||
|
|
||
| Use `should` to check if the entity is available. | ||
|
|
||
| describe aws_ec2_customer_gateway(customer_gateway_id: "CUSTOMER_GATEWAY_ID") do | ||
| it { should be_available } | ||
| end | ||
|
|
||
| ## AWS Permissions | ||
|
|
||
| Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EC2:Client:DescribeCustomerGatewaysResult` action with `Effect` set to `Allow`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| --- | ||
| title: About the aws_ec2_customer_gateways Resource | ||
| platform: aws | ||
| --- | ||
|
|
||
| # aws_ec2_customer_gateways | ||
|
|
||
| Use the `aws_ec2_customer_gateways` InSpec audit resource to test properties of the plural resource of AWS EC2 customer gateway. | ||
|
|
||
| The `AWS::EC2::CustomerGateway` resource type specifies a customer gateway. | ||
|
|
||
| ## Syntax | ||
|
|
||
| Ensure that the customer gateway exists. | ||
|
|
||
| describe aws_ec2_customer_gateways do | ||
| it { should exist } | ||
| end | ||
|
|
||
| ## Parameters | ||
|
|
||
| For additional information, see the [AWS documentation on AWS EC2 customer gateway](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html). | ||
|
|
||
| ## Properties | ||
|
|
||
| | Property | Description | Field | | ||
| | --- | --- | --- | | ||
| | bgp_asns | The customer gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN). | bgp_asn | | ||
| | customer_gateway_ids | The ID of the customer gateway. | customer_gateway_id | | ||
| | ip_addresses | The Internet-routable IP address of the customer gateway's outside interface. | ip_address | | ||
| | certificate_arns | The Amazon Resource Name (ARN) for the customer gateway certificate. | certificate_arn | | ||
| | states | The current state of the customer gateway. | state | | ||
| | types | The type of VPN connection the customer gateway supports (ipsec.1). | type | | ||
| | device_names | The name of customer gateway device. | device_name | | ||
| | tags | Any tags assigned to the customer gateway. | tags | | ||
|
|
||
| ## Examples | ||
|
|
||
| ### Ensure a customer gateway ID is available. | ||
|
|
||
| describe aws_ec2_customer_gateways do | ||
| its('customer_gateway_ids') { should include 'CUSTOMER_GATEWAY_ID' } | ||
| end | ||
|
|
||
| ### Ensure that the state is `available`. | ||
|
|
||
| describe aws_ec2_customer_gateways do | ||
| its('states') { should include 'available' } | ||
| end | ||
|
|
||
| ## Matchers | ||
|
|
||
| This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). | ||
|
|
||
| The controls will pass if the `describe` method returns at least one result. | ||
|
|
||
| ### exist | ||
|
|
||
| Use `should` to test that the entity exists. | ||
|
|
||
| describe aws_ec2_customer_gateways do | ||
| it { should exist } | ||
| end | ||
|
|
||
| Use `should_not` to test the entity does not exist. | ||
|
|
||
| describe aws_ec2_customer_gateways do | ||
| it { should_not exist } | ||
| end | ||
|
|
||
| ### be_available | ||
|
|
||
| Use `should` to check if the entity is available. | ||
|
|
||
| describe aws_ec2_customer_gateways do | ||
| it { should be_available } | ||
| end | ||
|
|
||
| ## AWS Permissions | ||
|
|
||
| Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EC2:Client:DescribeCustomerGatewaysResult` action with `Effect` set to `Allow`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| # frozen_string_literal: true | ||
|
|
||
| require 'aws_backend' | ||
|
|
||
| class AWSEC2CustomerGateway < AwsResourceBase | ||
| name 'aws_ec2_customer_gateway' | ||
| desc 'Describes one VPN customer gateways.' | ||
|
|
||
| example " | ||
| describe aws_ec2_customer_gateway(customer_gateway_id: 'CUSTOMER_GATEWAY_ID') do | ||
| it { should exist } | ||
| end | ||
| " | ||
|
|
||
| def initialize(opts = {}) | ||
| opts = { customer_gateway_id: opts } if opts.is_a?(String) | ||
| super(opts) | ||
| validate_parameters(required: [:customer_gateway_id]) | ||
| raise ArgumentError, "#{@__resource_name__}: customer_gateway_id must be provided" unless opts[:customer_gateway_id] && !opts[:customer_gateway_id].empty? | ||
| @display_name = opts[:customer_gateway_id] | ||
| catch_aws_errors do | ||
| resp = @aws.compute_client.describe_customer_gateways({ customer_gateway_ids: [opts[:customer_gateway_id]] }) | ||
| @resp = resp.customer_gateways[0].to_h | ||
| create_resource_methods(@resp) | ||
| end | ||
| end | ||
|
|
||
| def customer_gateway_id | ||
| return nil unless exists? | ||
| @resp[:customer_gateway_id] | ||
| end | ||
|
|
||
| def exists? | ||
| !@resp.nil? && !@resp.empty? | ||
| end | ||
|
|
||
| def to_s | ||
| "Customer Gateway Id: #{@display_name}" | ||
| end | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # frozen_string_literal: true | ||
|
|
||
| require 'aws_backend' | ||
|
|
||
| class AWSEC2CustomerGateways < AwsResourceBase | ||
| name 'aws_ec2_customer_gateways' | ||
| desc 'Describes one or more of your VPN customer gateways.' | ||
|
|
||
| example " | ||
| describe aws_ec2_customer_gateways do | ||
| it { should exist } | ||
| end | ||
| " | ||
|
|
||
| attr_reader :table | ||
|
|
||
| FilterTable.create | ||
| .register_column(:bgp_asns, field: :bgp_asn) | ||
| .register_column(:customer_gateway_ids, field: :customer_gateway_id) | ||
| .register_column(:ip_addresses, field: :ip_address) | ||
| .register_column(:certificate_arns, field: :certificate_arn) | ||
| .register_column(:states, field: :state) | ||
| .register_column(:types, field: :type) | ||
| .register_column(:device_names, field: :device_name) | ||
| .register_column(:tags, field: :tags) | ||
| .install_filter_methods_on_resource(self, :table) | ||
|
|
||
| def initialize(opts = {}) | ||
| super(opts) | ||
| validate_parameters | ||
| @table = fetch_data | ||
| end | ||
|
|
||
| def fetch_data | ||
| catch_aws_errors do | ||
| @resp = @aws.compute_client.describe_customer_gateways | ||
| end | ||
| return [] if !@resp || @resp.empty? | ||
| @table = @resp.customer_gateways.map(&:to_h) | ||
| end | ||
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletions
20
test/integration/verify/controls/aws_ec2_customer_gateway.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| aws_customer_gateway_id = attribute("aws_customer_gateway_id", value: "", description: "") | ||
|
|
||
| control 'aws-ec2-capacity-reservation-1.0' do | ||
| impact 1.0 | ||
| title 'Describes one or more of your VPN customer gateways.' | ||
|
|
||
| describe aws_ec2_customer_gateway(customer_gateway_id: aws_customer_gateway_id) do | ||
| it { should exist } | ||
| end | ||
|
|
||
| describe aws_ec2_customer_gateway(customer_gateway_id: aws_customer_gateway_id) do | ||
| its('bgp_asn') { should eq '65000' } | ||
| its('customer_gateway_id') { should eq aws_customer_gateway_id } | ||
| its('ip_address') { should_not be_empty } | ||
| its('certificate_arn') { should be_empty } | ||
| its('state') { should eq 'available' } | ||
| its('device_name') { should be_empty } | ||
| its('tags') { should_not be_empty } | ||
| end | ||
| end |
20 changes: 20 additions & 0 deletions
20
test/integration/verify/controls/aws_ec2_customer_gateways.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| aws_customer_gateway_id = attribute("aws_customer_gateway_id", value: "", description: "") | ||
|
|
||
| control 'aws-ec2-capacity-gateways-1.0' do | ||
| impact 1.0 | ||
| title 'Describes one or more of your VPN customer gateways.' | ||
|
|
||
| describe aws_ec2_customer_gateways do | ||
| it { should exist } | ||
| end | ||
|
|
||
| describe aws_ec2_customer_gateways do | ||
| its('bgp_asns') { should include '65000' } | ||
| its('customer_gateway_ids') { should include aws_customer_gateway_id } | ||
| its('ip_addresses') { should_not be_empty } | ||
| its('certificate_arns') { should_not be_empty } | ||
| its('states') { should include 'available' } | ||
| its('device_names') { should_not be_empty } | ||
| its('tags') { should_not be_empty } | ||
| end | ||
| end |
Oops, something went wrong.