From d4de6f56fde336fb141b3f6fc1280bf7442f3c37 Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar Date: Fri, 17 Sep 2021 18:52:50 +0530 Subject: [PATCH 1/4] all singular and plural resources Signed-off-by: Soumyodeep Karmakar --- .../aws_apigateway_client_certificate.md | 83 +++++++++++++++++++ .../aws_apigateway_client_certificates.md | 69 +++++++++++++++ .../aws_apigateway_client_certificate.rb | 40 +++++++++ .../aws_apigateway_client_certificates.rb | 47 +++++++++++ .../aws_apigateway_client_certificate.rb | 23 +++++ .../aws_apigateway_client_certificates.rb | 19 +++++ .../aws_apigateway_client_certificate_test.rb | 64 ++++++++++++++ ...aws_apigateway_client_certificates_test.rb | 60 ++++++++++++++ 8 files changed, 405 insertions(+) create mode 100644 docs/resources/aws_apigateway_client_certificate.md create mode 100644 docs/resources/aws_apigateway_client_certificates.md create mode 100644 libraries/aws_apigateway_client_certificate.rb create mode 100644 libraries/aws_apigateway_client_certificates.rb create mode 100644 test/integration/verify/controls/aws_apigateway_client_certificate.rb create mode 100644 test/integration/verify/controls/aws_apigateway_client_certificates.rb create mode 100644 test/unit/resources/aws_apigateway_client_certificate_test.rb create mode 100644 test/unit/resources/aws_apigateway_client_certificates_test.rb diff --git a/docs/resources/aws_apigateway_client_certificate.md b/docs/resources/aws_apigateway_client_certificate.md new file mode 100644 index 000000000..a71e87df9 --- /dev/null +++ b/docs/resources/aws_apigateway_client_certificate.md @@ -0,0 +1,83 @@ +--- +title: About the aws_apigateway_client_certificate Resource +platform: aws +--- + +# aws_apigateway_client_certificate + +Use the `aws_apigateway_client_certificate` InSpec audit resource to test properties of a single specific AWS APIGateway ClientCertificate. + +The AWS::ApiGateway::ClientCertificate resource creates a client certificate that API Gateway uses to configure client-side SSL authentication for sending requests to the integration endpoint. + +## Syntax + +Ensure that the client certificate exists. + + describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do + it { should exist } + end + +## Parameters + +`client_certificate_id` _(required)_ + +| Property | Description | +| --- | --- | +| client_certificate_id | The identifier of the client certificate. | + +For additional information, see the [AWS documentation on AWS APIGateway ClientCertificate.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html). + +## Properties + +| Property | Description | Field | +| --- | --- | --- | +| client_certificate_id | The identifier of the client certificate. | client_certificate_id | +| description | The description of the client certificate. | description | +| pem_encoded_certificate | The PEM-encoded public key of the client certificate, which can be used to configure certificate authentication in the integration endpoint .| pem_encoded_certificate | +| created_date | The timestamp when the client certificate was created.| created_date | +| expiration_date | The timestamp when the client certificate will expire.| expiration_date | +| tags | The collection of tags. Each tag element is associated with a given resource. | tags | + +## Examples + +### Ensure a client certificate id is available. + describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do + its('client_certificate_id') { should eq 'ClientCertificateID' } + end + +### Ensure a pem encoded certificate is available. + describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do + its('pem_encoded_certificate') { should eq 'PemEncodedCertificate' } + end + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + + describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do + it { should exist } + end + +Use `should_not` to test the entity does not exist. + + describe aws_apigateway_client_certificate(client_certificate_id: 'dummy') do + it { should_not exist } + end + +### be_available + +Use `should` to check if the entity is available. + + describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do + it { should be_available } + end + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `APIGateway:Client:ClientCertificate` action with `Effect` set to `Allow`. \ No newline at end of file diff --git a/docs/resources/aws_apigateway_client_certificates.md b/docs/resources/aws_apigateway_client_certificates.md new file mode 100644 index 000000000..00808eb29 --- /dev/null +++ b/docs/resources/aws_apigateway_client_certificates.md @@ -0,0 +1,69 @@ +--- +title: About the aws_apigateway_client_certificates Resource +platform: aws +--- + +# aws_apigateway_client_certificates + +Use the `aws_apigateway_client_certificates` InSpec audit resource to test properties of the plural AWS APIGateway ClientCertificate. + +The AWS::ApiGateway::ClientCertificate resource creates a client certificate that API Gateway uses to configure client-side SSL authentication for sending requests to the integration endpoint. + +## Syntax + +Ensure that the client certificate exists. + + describe aws_apigateway_client_certificates do + it { should exist } + end + +## Parameters + +For additional information, see the [AWS documentation on AWS APIGateway ClientCertificate.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html). + +## Properties + +| Property | Description | Field | +| --- | --- | --- | +| client_certificate_ids | The identifier of the client certificate. | client_certificate_id | +| descriptions | The description of the client certificate. | description | +| pem_encoded_certificates | The PEM-encoded public key of the client certificate, which can be used to configure certificate authentication in the integration endpoint .| pem_encoded_certificate | +| created_dates | The timestamp when the client certificate was created.| created_date | +| expiration_dates | The timestamp when the client certificate will expire.| expiration_date | +| tags | The collection of tags. Each tag element is associated with a given resource. | tags | + +## Examples + +### Ensure a client certificate id is available. + describe aws_apigateway_client_certificates do + its('client_certificate_id') { should include 'ClientCertificateID' } + end + +### Ensure a pem encoded certificate is available. + describe aws_apigateway_client_certificates do + its('pem_encoded_certificate') { should include 'PemEncodedCertificate' } + end + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + + describe aws_apigateway_client_certificates do + it { should exist } + end + +Use `should_not` to test the entity does not exist. + + describe aws_apigateway_api_keys do + it { should_not exist } + end + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `APIGateway:Client:ClientCertificate` action with `Effect` set to `Allow`. \ No newline at end of file diff --git a/libraries/aws_apigateway_client_certificate.rb b/libraries/aws_apigateway_client_certificate.rb new file mode 100644 index 000000000..46f8084df --- /dev/null +++ b/libraries/aws_apigateway_client_certificate.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: true + +require 'aws_backend' + +class AWSApiGatewayClientCertificate < AwsResourceBase + name 'aws_apigateway_client_certificate' + desc 'Gets information about the current ClientCertificate resource.' + + example " + describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do + it { should exist } + end + " + + def initialize(opts = {}) + opts = { client_certificate_id: opts } if opts.is_a?(String) + super(opts) + validate_parameters(required: %i(client_certificate_id)) + raise ArgumentError, "#{@__resource_name__}: client_certificate_id must be provided" unless opts[:client_certificate_id] && !opts[:client_certificate_id].empty? + @display_name = opts[:client_certificate_id] + catch_aws_errors do + resp = @aws.apigateway_client.get_client_certificate({ client_certificate_id: opts[:client_certificate_id] }) + @res = resp.to_h + create_resource_methods(@res) + end + end + + def client_certificate_id + return nil unless exists? + @res[:client_certificate_id] + end + + def exists? + !@res.nil? && !@res.empty? + end + + def to_s + "Client Certificate ID: #{@display_name}" + end +end diff --git a/libraries/aws_apigateway_client_certificates.rb b/libraries/aws_apigateway_client_certificates.rb new file mode 100644 index 000000000..9a56ec49f --- /dev/null +++ b/libraries/aws_apigateway_client_certificates.rb @@ -0,0 +1,47 @@ +# frozen_string_literal: true + +require 'aws_backend' + +class AWSApiGatewayClientCertificates < AwsResourceBase + name 'aws_apigateway_client_certificates' + desc 'Gets a collection of ClientCertificate resources.' + + example " + describe aws_apigateway_client_certificates do + it { should exist } + end + " + + attr_reader :table + + FilterTable.create + .register_column(:client_certificate_ids, field: :client_certificate_id) + .register_column(:descriptions, field: :description) + .register_column(:pem_encoded_certificates, field: :pem_encoded_certificate) + .register_column(:created_dates, field: :created_date) + .register_column(:expiration_dates, field: :expiration_date) + .register_column(:tags, field: :tags) + .install_filter_methods_on_resource(self, :table) + + def initialize(opts = {}) + super(opts) + validate_parameters + @table = fetch_data + end + + def fetch_data + catch_aws_errors do + @table = @aws.apigateway_client.get_client_certificates.map do |table| + table.items.map { |table_name| { + client_certificate_id: table_name.client_certificate_id, + description: table_name.description, + pem_encoded_certificate: table_name.pem_encoded_certificate, + created_date: table_name.created_date, + expiration_date: table_name.expiration_date, + tags: table_name.tags, + } + } + end.flatten + end + end +end diff --git a/test/integration/verify/controls/aws_apigateway_client_certificate.rb b/test/integration/verify/controls/aws_apigateway_client_certificate.rb new file mode 100644 index 000000000..08c1b5efd --- /dev/null +++ b/test/integration/verify/controls/aws_apigateway_client_certificate.rb @@ -0,0 +1,23 @@ +aws_api_gateway_client_certificate_id = attribute(:aws_api_gateway_client_certificate_id, value: '', description: '') +aws_api_gateway_client_certificate_created_date = attribute(:aws_api_gateway_client_certificate_created_date, value: '', description: '') +aws_api_gateway_client_certificate_expiration_date = attribute(:aws_api_gateway_client_certificate_expiration_date, value: '', description: '') +aws_api_gateway_client_certificate_pem_encoded_certificate = attribute(:aws_api_gateway_client_certificate_pem_encoded_certificate, value: '', description: '') + +control 'aws-apigateway-client-certificate' do + + impact 1.0 + title 'Ensure API Gateway Client Certificate resource has the correct properties.' + + describe aws_apigateway_client_certificate(client_certificate_id: aws_api_gateway_client_certificate_id) do + it { should exist } + end + + describe aws_apigateway_client_certificate(client_certificate_id: aws_api_gateway_client_certificate_id) do + its('client_certificate_id') { should eq aws_api_gateway_client_certificate_id } + its('description') { should eq 'My client certificate.' } + its('pem_encoded_certificate') { should eq aws_api_gateway_client_certificate_pem_encoded_certificate } + its('created_date') { should eq Time.parse(aws_api_gateway_client_certificate_created_date) } + its('expiration_date') { should eq Time.parse(aws_api_gateway_client_certificate_expiration_date) } + its('tags') { should be_empty } + end +end \ No newline at end of file diff --git a/test/integration/verify/controls/aws_apigateway_client_certificates.rb b/test/integration/verify/controls/aws_apigateway_client_certificates.rb new file mode 100644 index 000000000..1c4ba47d2 --- /dev/null +++ b/test/integration/verify/controls/aws_apigateway_client_certificates.rb @@ -0,0 +1,19 @@ +aws_api_gateway_client_certificate_id = attribute(:aws_api_gateway_client_certificate_id, value: '', description: '') +aws_api_gateway_client_certificate_created_date = attribute(:aws_api_gateway_client_certificate_created_date, value: '', description: '') +aws_api_gateway_client_certificate_expiration_date = attribute(:aws_api_gateway_client_certificate_expiration_date, value: '', description: '') +aws_api_gateway_client_certificate_pem_encoded_certificate = attribute(:aws_api_gateway_client_certificate_pem_encoded_certificate, value: '', description: '') + +control 'aws-apigateway-client-certificates' do + + impact 1.0 + title 'Ensure API Gateway Client Certificate resource has the correct properties.' + + describe aws_apigateway_client_certificates do + its('client_certificate_ids') { should include aws_api_gateway_client_certificate_id } + its('descriptions') { should include 'My client certificate.' } + its('pem_encoded_certificates') { should include aws_api_gateway_client_certificate_pem_encoded_certificate } + its('created_dates') { should include Time.parse(aws_api_gateway_client_certificate_created_date) } + its('expiration_dates') { should include Time.parse(aws_api_gateway_client_certificate_expiration_date) } + its('tags') { should_not be_empty } + end +end \ No newline at end of file diff --git a/test/unit/resources/aws_apigateway_client_certificate_test.rb b/test/unit/resources/aws_apigateway_client_certificate_test.rb new file mode 100644 index 000000000..0448fcd06 --- /dev/null +++ b/test/unit/resources/aws_apigateway_client_certificate_test.rb @@ -0,0 +1,64 @@ +require 'helper' +require 'aws_apigateway_client_certificate' +require 'aws-sdk-core' + +class AWSApiGatewayClientCertificateConstructorTest < Minitest::Test + + def test_empty_params_not_ok + assert_raises(ArgumentError) { AWSApiGatewayClientCertificate.new(client_args: { stub_responses: true }) } + end + + def test_empty_param_arg_not_ok + assert_raises(ArgumentError) { AWSApiGatewayClientCertificate.new(client_certificate_id: '', client_args: { stub_responses: true }) } + end + + def test_rejects_unrecognized_params + assert_raises(ArgumentError) { AWSApiGatewayClientCertificate.new(unexpected: 9) } + end +end + +class AWSApiGatewayClientCertificateSuccessPathTest < Minitest::Test + + def setup + data = {} + data[:method] = :get_client_certificate + mock_data = {} + mock_data[:client_certificate_id] = 'test1' + mock_data[:description] = 'test1' + mock_data[:pem_encoded_certificate] = 'test1' + mock_data[:created_date] = Time.parse("2013-06-11T23:52:02Z2020-06-05T11:30:39.730000+01:00") + mock_data[:expiration_date] = Time.parse("2013-06-11T23:52:02Z2020-06-05T11:30:39.730000+01:00") + mock_data[:tags] = {} + data[:data] = [mock_data] + data[:client] = Aws::APIGateway::Client + @resp = AWSApiGatewayClientCertificate.new(client_certificate_id: 'test1', client_args: { stub_responses: true }, stub_data: [data]) + end + + def test_client_certificate_exists + assert @resp.exists? + end + + def test_client_certificate_id + assert_equal(@resp.client_certificate_id, 'test1') + end + + def test_description + assert_equal(@resp.description, 'test1') + end + + def test_pem_encoded_certificate + assert_equal(@resp.pem_encoded_certificate, 'test1') + end + + def test_created_date + assert_equal(@resp.created_date, Time.parse("2013-06-11T23:52:02Z2020-06-05T11:30:39.730000+01:00")) + end + + def test_expiration_date + assert_equal(@resp.expiration_date, Time.parse("2013-06-11T23:52:02Z2020-06-05T11:30:39.730000+01:00")) + end + + def test_tags + assert_equal(@resp.tags, {}) + end +end diff --git a/test/unit/resources/aws_apigateway_client_certificates_test.rb b/test/unit/resources/aws_apigateway_client_certificates_test.rb new file mode 100644 index 000000000..9ae2c586e --- /dev/null +++ b/test/unit/resources/aws_apigateway_client_certificates_test.rb @@ -0,0 +1,60 @@ +require 'helper' +require 'aws_apigateway_client_certificates' +require 'aws-sdk-core' + +class AWSApiGatewayClientCertificatesConstructorTest < Minitest::Test + + def test_empty_params_ok + AWSApiGatewayClientCertificates.new(client_args: { stub_responses: true }) + end + + def test_rejects_other_args + assert_raises(ArgumentError) { AWSApiGatewayClientCertificates.new('rubbish') } + end + + def test_api_mapping_non_existing_for_empty_response + refute AWSApiGatewayClientCertificates.new(client_args: { stub_responses: true }).exist? + end +end + +class AWSApiGatewayClientCertificatesHappyPathTest < Minitest::Test + + def setup + data = {} + data[:method] = :get_client_certificates + mock_data = {} + mock_data[:client_certificate_id] = 'test1' + mock_data[:description] = 'test1' + mock_data[:pem_encoded_certificate] = 'test1' + mock_data[:created_date] = Time.parse("2013-06-11T23:52:02Z2020-06-05T11:30:39.730000+01:00") + mock_data[:expiration_date] = Time.parse("2013-06-11T23:52:02Z2020-06-05T11:30:39.730000+01:00") + mock_data[:tags] = {} + data[:data] = { :items => [mock_data] } + data[:client] = Aws::APIGateway::Client + @resp = AWSApiGatewayClientCertificates.new(client_args: { stub_responses: true }, stub_data: [data]) + end + + def test_client_certificate_ids + assert_equal(@resp.client_certificate_ids, ['test1']) + end + + def test_descriptions + assert_equal(@resp.descriptions, ['test1']) + end + + def test_pem_encoded_certificates + assert_equal(@resp.pem_encoded_certificates, ['test1']) + end + + def test_created_dates + assert_equal(@resp.created_dates, [Time.parse("2013-06-11T23:52:02Z2020-06-05T11:30:39.730000+01:00")]) + end + + def test_expiration_dates + assert_equal(@resp.expiration_dates, [Time.parse("2013-06-11T23:52:02Z2020-06-05T11:30:39.730000+01:00")]) + end + + def test_tags + assert_equal(@resp.tags, [{}]) + end +end From a3bd522f0e6dc355fab8e9af3750d108306d8991 Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar Date: Fri, 17 Sep 2021 20:54:38 +0530 Subject: [PATCH 2/4] removed the unused Signed-off-by: Soumyodeep Karmakar --- docs/resources/aws_apigateway_authorizer.md | 88 ------------------- docs/resources/aws_apigateway_authorizers.md | 73 --------------- libraries/aws_apigateway_authorizer.rb | 42 --------- libraries/aws_apigateway_authorizers.rb | 58 ------------ .../controls/aws_apigateway_authorizer.rb | 28 ------ .../controls/aws_apigateway_authorizers.rb | 28 ------ .../aws_apigateway_authorizer_test.rb | 84 ------------------ .../aws_apigateway_authorizers_test.rb | 80 ----------------- 8 files changed, 481 deletions(-) delete mode 100644 docs/resources/aws_apigateway_authorizer.md delete mode 100644 docs/resources/aws_apigateway_authorizers.md delete mode 100644 libraries/aws_apigateway_authorizer.rb delete mode 100644 libraries/aws_apigateway_authorizers.rb delete mode 100644 test/integration/verify/controls/aws_apigateway_authorizer.rb delete mode 100644 test/integration/verify/controls/aws_apigateway_authorizers.rb delete mode 100644 test/unit/resources/aws_apigateway_authorizer_test.rb delete mode 100644 test/unit/resources/aws_apigateway_authorizers_test.rb diff --git a/docs/resources/aws_apigateway_authorizer.md b/docs/resources/aws_apigateway_authorizer.md deleted file mode 100644 index f68850f17..000000000 --- a/docs/resources/aws_apigateway_authorizer.md +++ /dev/null @@ -1,88 +0,0 @@ ---- -title: About the aws_apigateway_authorizer Resource -platform: aws ---- - -# aws_apigateway_authorizer - -Use the `aws_apigateway_authorizer` InSpec audit resource to test properties of a single specific AWS APIGateway Authorizer. - -The AWS::ApiGateway::Authorizer resource creates an authorization layer that API Gateway activates for methods that have authorization enabled. API Gateway activates the authorizer when a client calls those methods. - -## Syntax - -Ensure that the authorizer exists. - - describe aws_apigateway_authorizer(rest_api_id: 'RestAPIID', authorizer_id: 'AuthorizerID') do - it { should exist } - end - -## Parameters - -`rest_api_id authorizer_id` _(required)_ - -| Property | Description | -| --- | --- | -| rest_api_id | The string identifier of the associated RestApi. | -| authorizer_id | The identifier of the Authorizer resource. | - -For additional information, see the [AWS documentation on AWS APIGateway Authorizer.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html). - -## Properties - -| Property | Description | Field | -| --- | --- | --- | -| id | The identifier for the authorizer resource. | id | -| name | The name of the authorizer. | name | -| type | The authorizer type. | type | -| provider_arns | A list of the Amazon Cognito user pool ARNs for the COGNITO_USER_POOLS authorizer. | provider_arns | -| auth_type | Optional customer-defined field, used in OpenAPI imports and exports without functional impact. | auth_type | -| authorizer_uri | Specifies the authorizer's Uniform Resource Identifier (URI). | authorizer_uri | -| authorizer_credentials | Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. | authorizer_credentials | -| identity_source | The identity source for which authorization is requested. | identity_source | -| identity_validation_expression | A validation expression for the incoming identity token. | identity_validation_expression | -| authorizer_result_ttl_in_seconds | The TTL in seconds of cached authorizer results. | authorizer_result_ttl_in_seconds | - -## Examples - -### Ensure a id is available. - describe aws_apigateway_authorizer(rest_api_id: 'RestAPIID', authorizer_id: 'AuthorizerID') do - its('id') { should eq 'AuthorizerID' } - end - -### Ensure a name is available. - describe aws_apigateway_authorizer(rest_api_id: 'RestAPIID', authorizer_id: 'AuthorizerID') do - its('name') { should eq 'AuthorizerName' } - end - -## Matchers - -This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). - -The controls will pass if the `get` method returns at least one result. - -### exist - -Use `should` to test that the entity exists. - - describe aws_apigateway_authorizer(rest_api_id: 'RestAPIID', authorizer_id: 'AuthorizerID') do - it { should exist } - end - -Use `should_not` to test the entity does not exist. - - describe aws_apigateway_authorizer(rest_api_id: 'dummy', authorizer_id: 'dummy') do - it { should_not exist } - end - -### be_available - -Use `should` to check if the entity is available. - - describe aws_apigateway_authorizer(rest_api_id: 'RestAPIID', authorizer_id: 'AuthorizerID') do - it { should be_available } - end - -## AWS Permissions - -Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `APIGateway:Client:Authorizer` action with `Effect` set to `Allow`. \ No newline at end of file diff --git a/docs/resources/aws_apigateway_authorizers.md b/docs/resources/aws_apigateway_authorizers.md deleted file mode 100644 index 5e946150c..000000000 --- a/docs/resources/aws_apigateway_authorizers.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: About the aws_apigateway_authorizers Resource -platform: aws ---- - -# aws_apigateway_authorizers - -Use the `aws_apigateway_authorizers` InSpec audit resource to test properties of the plural AWS APIGateway Authorizer. - -The AWS::ApiGateway::Authorizer resource creates an authorization layer that API Gateway activates for methods that have authorization enabled. API Gateway activates the authorizer when a client calls those methods. - -## Syntax - -Ensure that the authorizer exists. - - describe aws_apigateway_authorizers do - it { should exist } - end - -## Parameters - -For additional information, see the [AWS documentation on AWS APIGateway Authorizer.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html). - -## Properties - -| Property | Description | Field | -| --- | --- | --- | -| ids | The identifier for the authorizer resource. | id | -| names | The name of the authorizer. | name | -| types | The authorizer type. | type | -| provider_arns | A list of the Amazon Cognito user pool ARNs for the COGNITO_USER_POOLS authorizer. | provider_arns | -| auth_types | Optional customer-defined field, used in OpenAPI imports and exports without functional impact. | auth_type | -| authorizer_uris | Specifies the authorizer's Uniform Resource Identifier (URI). | authorizer_uri | -| authorizer_credentials | Specifies the required credentials as an IAM role for API Gateway to invoke the authorizer. | authorizer_credentials | -| identity_sources | The identity source for which authorization is requested. | identity_source | -| identity_validation_expressions | A validation expression for the incoming identity token. | identity_validation_expression | -| authorizer_result_ttl_in_seconds | The TTL in seconds of cached authorizer results. | authorizer_result_ttl_in_seconds | - -## Examples - -### Ensure a id is available. - describe aws_apigateway_authorizers do - its('ids') { should include 'AuthorizerID' } - end - -### Ensure a name is available. - describe aws_apigateway_authorizers do - its('names') { should include 'AuthorizerName' } - end - -## Matchers - -This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). - -The controls will pass if the `get` method returns at least one result. - -### exist - -Use `should` to test that the entity exists. - - describe aws_apigateway_authorizers do - it { should exist } - end - -Use `should_not` to test the entity does not exist. - - describe aws_apigateway_authorizers do - it { should_not exist } - end - -## AWS Permissions - -Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `APIGateway:Client:ApiKeys` action with `Effect` set to `Allow`. \ No newline at end of file diff --git a/libraries/aws_apigateway_authorizer.rb b/libraries/aws_apigateway_authorizer.rb deleted file mode 100644 index 8768b91c4..000000000 --- a/libraries/aws_apigateway_authorizer.rb +++ /dev/null @@ -1,42 +0,0 @@ -# frozen_string_literal: true - -require 'aws_backend' - -class AWSApiGatewayAuthorizer < AwsResourceBase - name 'aws_apigateway_authorizer' - desc 'Describe an existing Authorizer resource.' - - example " - describe aws_apigateway_authorizer(rest_api_id: 'RestAPIID', authorizer_id: 'AuthorizerID') do - it { should exist } - end - " - - def initialize(opts = {}) - opts = { api_id: opts } if opts.is_a?(String) - opts = { authorizer_id: opts } if opts.is_a?(String) - super(opts) - validate_parameters(required: %i(rest_api_id authorizer_id)) - raise ArgumentError, "#{@__resource_name__}: rest_api_id must be provided" unless opts[:rest_api_id] && !opts[:rest_api_id].empty? - raise ArgumentError, "#{@__resource_name__}: authorizer_id must be provided" unless opts[:authorizer_id] && !opts[:authorizer_id].empty? - @display_name = opts[:authorizer_id] - catch_aws_errors do - resp = @aws.apigateway_client.get_authorizer({ rest_api_id: opts[:rest_api_id], authorizer_id: opts[:authorizer_id] }) - @res = resp.to_h - create_resource_methods(@res) - end - end - - def authorizer_id - return nil unless exists? - @res[:authorizer_id] - end - - def exists? - !@res.nil? && !@res.empty? - end - - def to_s - "Authorizer ID: #{@display_name}" - end -end diff --git a/libraries/aws_apigateway_authorizers.rb b/libraries/aws_apigateway_authorizers.rb deleted file mode 100644 index 854db4066..000000000 --- a/libraries/aws_apigateway_authorizers.rb +++ /dev/null @@ -1,58 +0,0 @@ -# frozen_string_literal: true - -require 'aws_backend' - -class AWSApiGatewayAuthorizers < AwsResourceBase - name 'aws_apigateway_authorizers' - desc 'Describe an existing Authorizers resource.' - - example " - describe aws_apigateway_authorizers(rest_api_id: 'RestAPIID') do - it { should exist } - end - " - - attr_reader :table - - FilterTable.create - .register_column(:ids, field: :id) - .register_column(:names, field: :name) - .register_column(:types, field: :type) - .register_column(:provider_arns, field: :provider_arns) - .register_column(:auth_types, field: :auth_type) - .register_column(:authorizer_uris, field: :authorizer_uri) - .register_column(:authorizer_credentials, field: :authorizer_credentials) - .register_column(:identity_sources, field: :identity_source) - .register_column(:identity_validation_expressions, field: :identity_validation_expression) - .register_column(:authorizer_result_ttl_in_seconds, field: :authorizer_result_ttl_in_seconds) - .install_filter_methods_on_resource(self, :table) - - def initialize(opts = {}) - super(opts) - validate_parameters(required: %i(rest_api_id)) - @query_params = {} - raise ArgumentError, "#{@__resource_name__}: rest_api_id must be provided" unless opts[:rest_api_id] && !opts[:rest_api_id].empty? - @query_params[:rest_api_id] = opts[:rest_api_id] - @table = fetch_data - end - - def fetch_data - catch_aws_errors do - @table = @aws.apigateway_client.get_authorizers(@query_params).map do |table| - table.items.map { |table_name| { - id: table_name.id, - name: table_name.name, - type: table_name.type, - provider_arns: table_name.provider_arns, - auth_type: table_name.auth_type, - authorizer_uri: table_name.authorizer_uri, - authorizer_credentials: table_name.authorizer_credentials, - identity_source: table_name.identity_source, - identity_validation_expression: table_name.identity_validation_expression, - authorizer_result_ttl_in_seconds: table_name.authorizer_result_ttl_in_seconds, - } - } - end.flatten - end - end -end diff --git a/test/integration/verify/controls/aws_apigateway_authorizer.rb b/test/integration/verify/controls/aws_apigateway_authorizer.rb deleted file mode 100644 index 344ca1548..000000000 --- a/test/integration/verify/controls/aws_apigateway_authorizer.rb +++ /dev/null @@ -1,28 +0,0 @@ -aws_api_gateway_authorizer_id = attribute(:aws_api_gateway_authorizer_id, value: '', description: '') -aws_api_gateway_rest_api_id = attribute(:aws_api_gateway_rest_api_id, value: '', description: '') -aws_api_gateway_authorizer_authorizer_credentials = attribute(:aws_api_gateway_authorizer_authorizer_credentials, value: '', description: '') -aws_api_gateway_authorizer_authorizer_result_ttl_in_seconds = attribute(:aws_api_gateway_authorizer_authorizer_result_ttl_in_seconds, value: '', description: '') -aws_api_gateway_authorizer_authorizer_uri = attribute(:aws_api_gateway_authorizer_authorizer_uri, value: '', description: '') - -control 'aws-apigateway-authorizer' do - - impact 1.0 - title 'Ensure API Gateway Authorizer resource has the correct properties.' - - describe aws_apigateway_authorizer(rest_api_id: aws_api_gateway_rest_api_id, authorizer_id: aws_api_gateway_authorizer_id) do - it { should exist } - end - - describe aws_apigateway_authorizer(rest_api_id: aws_api_gateway_rest_api_id, authorizer_id: aws_api_gateway_authorizer_id) do - its('id') { should eq aws_api_gateway_authorizer_id } - its('name') { should eq 'aws_api_gateway_authorizer_test_demo' } - its('type') { should eq 'TOKEN' } - its('provider_arns') { should be_empty } - its('auth_type') { should eq 'custom' } - its('authorizer_uri') { should eq aws_api_gateway_authorizer_authorizer_uri } - its('authorizer_credentials') { should eq aws_api_gateway_authorizer_authorizer_credentials } - its('identity_source') { should eq 'method.request.header.Authorization' } - its('identity_validation_expression') { should be_empty } - its('authorizer_result_ttl_in_seconds') { should eq aws_api_gateway_authorizer_authorizer_result_ttl_in_seconds } - end -end \ No newline at end of file diff --git a/test/integration/verify/controls/aws_apigateway_authorizers.rb b/test/integration/verify/controls/aws_apigateway_authorizers.rb deleted file mode 100644 index c1b7220af..000000000 --- a/test/integration/verify/controls/aws_apigateway_authorizers.rb +++ /dev/null @@ -1,28 +0,0 @@ -aws_api_gateway_authorizer_id = attribute(:aws_api_gateway_authorizer_id, value: '', description: '') -aws_api_gateway_rest_api_id = attribute(:aws_api_gateway_rest_api_id, value: '', description: '') -aws_api_gateway_authorizer_authorizer_credentials = attribute(:aws_api_gateway_authorizer_authorizer_credentials, value: '', description: '') -aws_api_gateway_authorizer_authorizer_result_ttl_in_seconds = attribute(:aws_api_gateway_authorizer_authorizer_result_ttl_in_seconds, value: '', description: '') -aws_api_gateway_authorizer_authorizer_uri = attribute(:aws_api_gateway_authorizer_authorizer_uri, value: '', description: '') - -control 'aws-apigateway-authorizers' do - - impact 1.0 - title 'Ensure API Gateway Authorizer resource has the correct properties.' - - describe aws_apigateway_authorizers(rest_api_id: aws_api_gateway_rest_api_id) do - it { should exist } - end - - describe aws_apigateway_authorizers(rest_api_id: aws_api_gateway_rest_api_id) do - its('ids') { should include aws_api_gateway_authorizer_id } - its('names') { should include 'aws_api_gateway_authorizer_test_demo' } - its('types') { should include 'TOKEN' } - its('provider_arns') { should_not be_empty } - its('auth_types') { should include 'custom' } - its('authorizer_uris') { should include aws_api_gateway_authorizer_authorizer_uri } - its('authorizer_credentials') { should include aws_api_gateway_authorizer_authorizer_credentials } - its('identity_sources') { should include 'method.request.header.Authorization' } - its('identity_validation_expressions') { should_not be_empty } - its('authorizer_result_ttl_in_seconds') { should include aws_api_gateway_authorizer_authorizer_result_ttl_in_seconds } - end -end \ No newline at end of file diff --git a/test/unit/resources/aws_apigateway_authorizer_test.rb b/test/unit/resources/aws_apigateway_authorizer_test.rb deleted file mode 100644 index eac3bdee5..000000000 --- a/test/unit/resources/aws_apigateway_authorizer_test.rb +++ /dev/null @@ -1,84 +0,0 @@ -require 'helper' -require 'aws_apigateway_authorizer' -require 'aws-sdk-core' - -class AWSApiGatewayAuthorizerConstructorTest < Minitest::Test - - def test_empty_params_not_ok - assert_raises(ArgumentError) { AWSApiGatewayAuthorizer.new(client_args: { stub_responses: true }) } - end - - def test_empty_param_arg_not_ok - assert_raises(ArgumentError) { AWSApiGatewayAuthorizer.new(rest_api_id: '', authorizer_id: '', client_args: { stub_responses: true }) } - end - - def test_rejects_unrecognized_params - assert_raises(ArgumentError) { AWSApiGatewayAuthorizer.new(unexpected: 9) } - end -end - -class AWSApiGatewayAuthorizerSuccessPathTest < Minitest::Test - - def setup - data = {} - data[:method] = :get_authorizer - mock_data = {} - mock_data[:id] = 'test1' - mock_data[:name] = 'test1' - mock_data[:type] = 'test1' - mock_data[:provider_arns] = ['test1'] - mock_data[:auth_type] = 'test1' - mock_data[:authorizer_uri] = 'test1' - mock_data[:authorizer_credentials] = 'test1' - mock_data[:identity_source] = 'test1' - mock_data[:identity_validation_expression] = 'test1' - mock_data[:authorizer_result_ttl_in_seconds] = 1 - data[:data] = [mock_data] - data[:client] = Aws::APIGateway::Client - @resp = AWSApiGatewayAuthorizer.new(rest_api_id: 'test1', authorizer_id: 'test1', client_args: { stub_responses: true }, stub_data: [data]) - end - - def test_authorizer_exists - assert @resp.exists? - end - - def test_id - assert_equal(@resp.id, 'test1') - end - - def test_name - assert_equal(@resp.name, 'test1') - end - - def test_type - assert_equal(@resp.type, 'test1') - end - - def test_provider_arns - assert_equal(@resp.provider_arns, ['test1']) - end - - def test_auth_type - assert_equal(@resp.auth_type, 'test1') - end - - def test_authorizer_uri - assert_equal(@resp.authorizer_uri, 'test1') - end - - def test_authorizer_credentials - assert_equal(@resp.authorizer_credentials, 'test1') - end - - def test_identity_source - assert_equal(@resp.identity_source, 'test1') - end - - def test_identity_validation_expression - assert_equal(@resp.identity_validation_expression, 'test1') - end - - def test_authorizer_result_ttl_in_seconds - assert_equal(@resp.authorizer_result_ttl_in_seconds, 1) - end -end diff --git a/test/unit/resources/aws_apigateway_authorizers_test.rb b/test/unit/resources/aws_apigateway_authorizers_test.rb deleted file mode 100644 index a026570a3..000000000 --- a/test/unit/resources/aws_apigateway_authorizers_test.rb +++ /dev/null @@ -1,80 +0,0 @@ -require 'helper' -require 'aws_apigateway_authorizers' -require 'aws-sdk-core' - -class AWSApiGatewayAuthorizersConstructorTest < Minitest::Test - - def test_empty_params_ok - AWSApiGatewayAuthorizers.new(rest_api_id: 'test1', client_args: { stub_responses: true }) - end - - def test_rejects_other_args - assert_raises(ArgumentError) { AWSApiGatewayAuthorizers.new('rubbish') } - end - - def test_api_mapping_non_existing_for_empty_response - refute AWSApiGatewayAuthorizers.new(rest_api_id: 'test1', client_args: { stub_responses: true }).exist? - end -end - -class AWSApiGatewayAuthorizersHappyPathTest < Minitest::Test - - def setup - data = {} - data[:method] = :get_authorizers - mock_data = {} - mock_data[:id] = 'test1' - mock_data[:name] = 'test1' - mock_data[:type] = 'test1' - mock_data[:provider_arns] = ['test1'] - mock_data[:auth_type] = 'test1' - mock_data[:authorizer_uri] = 'test1' - mock_data[:authorizer_credentials] = 'test1' - mock_data[:identity_source] = 'test1' - mock_data[:identity_validation_expression] = 'test1' - mock_data[:authorizer_result_ttl_in_seconds] = 1 - data[:data] = { :items => [mock_data] } - data[:client] = Aws::APIGateway::Client - @resp = AWSApiGatewayAuthorizers.new(rest_api_id: 'test1', client_args: { stub_responses: true }, stub_data: [data]) - end - - def test_ids - assert_equal(@resp.ids, ['test1']) - end - - def test_names - assert_equal(@resp.names, ['test1']) - end - - def test_types - assert_equal(@resp.types, ['test1']) - end - - def test_provider_arns - assert_equal(@resp.provider_arns, [['test1']]) - end - - def test_auth_types - assert_equal(@resp.auth_types, ['test1']) - end - - def test_authorizer_uris - assert_equal(@resp.authorizer_uris, ['test1']) - end - - def test_authorizer_credentials - assert_equal(@resp.authorizer_credentials, ['test1']) - end - - def test_identity_sources - assert_equal(@resp.identity_sources, ['test1']) - end - - def test_identity_validation_expressions - assert_equal(@resp.identity_validation_expressions, ['test1']) - end - - def test_authorizer_result_ttl_in_seconds - assert_equal(@resp.authorizer_result_ttl_in_seconds, [1]) - end -end From c25684656b3a0740f669891f6dd7ca1421ba32af Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar Date: Thu, 23 Sep 2021 11:59:21 +0530 Subject: [PATCH 3/4] updated the docs Signed-off-by: Soumyodeep Karmakar --- docs/resources/aws_apigateway_client_certificates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/resources/aws_apigateway_client_certificates.md b/docs/resources/aws_apigateway_client_certificates.md index 00808eb29..252b177ad 100644 --- a/docs/resources/aws_apigateway_client_certificates.md +++ b/docs/resources/aws_apigateway_client_certificates.md @@ -36,12 +36,12 @@ For additional information, see the [AWS documentation on AWS APIGateway ClientC ### Ensure a client certificate id is available. describe aws_apigateway_client_certificates do - its('client_certificate_id') { should include 'ClientCertificateID' } + its('client_certificate_ids') { should include 'ClientCertificateID' } end ### Ensure a pem encoded certificate is available. describe aws_apigateway_client_certificates do - its('pem_encoded_certificate') { should include 'PemEncodedCertificate' } + its('pem_encoded_certificates') { should include 'PemEncodedCertificate' } end ## Matchers From 6bc4ce566d1592b09e8cd70738e5780fc9073bba Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Wed, 6 Oct 2021 14:46:45 -0700 Subject: [PATCH 4/4] Docs edits Signed-off-by: Ian Maddaus --- .../aws_apigateway_client_certificate.md | 44 +++++++++---------- .../aws_apigateway_client_certificates.md | 22 ++++++---- 2 files changed, 35 insertions(+), 31 deletions(-) diff --git a/docs/resources/aws_apigateway_client_certificate.md b/docs/resources/aws_apigateway_client_certificate.md index a71e87df9..303dec30b 100644 --- a/docs/resources/aws_apigateway_client_certificate.md +++ b/docs/resources/aws_apigateway_client_certificate.md @@ -5,15 +5,15 @@ platform: aws # aws_apigateway_client_certificate -Use the `aws_apigateway_client_certificate` InSpec audit resource to test properties of a single specific AWS APIGateway ClientCertificate. +Use the `aws_apigateway_client_certificate` InSpec audit resource to test properties of a single specific AWS API Gateway client certificate. -The AWS::ApiGateway::ClientCertificate resource creates a client certificate that API Gateway uses to configure client-side SSL authentication for sending requests to the integration endpoint. +The `AWS::ApiGateway::ClientCertificate` resource creates a client certificate that API Gateway uses to configure client-side SSL authentication for sending requests to the integration endpoint. ## Syntax Ensure that the client certificate exists. - describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do + describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do it { should exist } end @@ -21,33 +21,33 @@ Ensure that the client certificate exists. `client_certificate_id` _(required)_ -| Property | Description | -| --- | --- | -| client_certificate_id | The identifier of the client certificate. | +The identifier of the client certificate. For additional information, see the [AWS documentation on AWS APIGateway ClientCertificate.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html). ## Properties -| Property | Description | Field | -| --- | --- | --- | -| client_certificate_id | The identifier of the client certificate. | client_certificate_id | -| description | The description of the client certificate. | description | -| pem_encoded_certificate | The PEM-encoded public key of the client certificate, which can be used to configure certificate authentication in the integration endpoint .| pem_encoded_certificate | -| created_date | The timestamp when the client certificate was created.| created_date | -| expiration_date | The timestamp when the client certificate will expire.| expiration_date | -| tags | The collection of tags. Each tag element is associated with a given resource. | tags | +| Property | Description | +| --- | --- | +| client_certificate_id | The identifier of the client certificate. | +| description | The description of the client certificate. | +| pem_encoded_certificate | The PEM-encoded public key of the client certificate, which can be used to configure certificate authentication in the integration endpoint .| +| created_date | The timestamp when the client certificate was created.| +| expiration_date | The timestamp when the client certificate will expire.| +| tags | The collection of tags. Each tag element is associated with a given resource. | ## Examples ### Ensure a client certificate id is available. - describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do - its('client_certificate_id') { should eq 'ClientCertificateID' } + + describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do + its('client_certificate_id') { should eq 'CLIENT_CERTIFICATE_ID' } end ### Ensure a pem encoded certificate is available. - describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do - its('pem_encoded_certificate') { should eq 'PemEncodedCertificate' } + + describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do + its('pem_encoded_certificate') { should eq 'PEM_ENCODED_CERTIFICATE' } end ## Matchers @@ -60,13 +60,13 @@ The controls will pass if the `get` method returns at least one result. Use `should` to test that the entity exists. - describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do + describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do it { should exist } end Use `should_not` to test the entity does not exist. - describe aws_apigateway_client_certificate(client_certificate_id: 'dummy') do + describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do it { should_not exist } end @@ -74,10 +74,10 @@ Use `should_not` to test the entity does not exist. Use `should` to check if the entity is available. - describe aws_apigateway_client_certificate(client_certificate_id: 'ClientCertificateID') do + describe aws_apigateway_client_certificate(client_certificate_id: 'CLIENT_CERTIFICATE_ID') do it { should be_available } end ## AWS Permissions -Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `APIGateway:Client:ClientCertificate` action with `Effect` set to `Allow`. \ No newline at end of file +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `APIGateway:Client:ClientCertificate` action with `Effect` set to `Allow`. diff --git a/docs/resources/aws_apigateway_client_certificates.md b/docs/resources/aws_apigateway_client_certificates.md index 252b177ad..4ee90240c 100644 --- a/docs/resources/aws_apigateway_client_certificates.md +++ b/docs/resources/aws_apigateway_client_certificates.md @@ -5,9 +5,9 @@ platform: aws # aws_apigateway_client_certificates -Use the `aws_apigateway_client_certificates` InSpec audit resource to test properties of the plural AWS APIGateway ClientCertificate. +Use the `aws_apigateway_client_certificates` InSpec audit resource to test properties of multiple AWS API Gateway client certificates. -The AWS::ApiGateway::ClientCertificate resource creates a client certificate that API Gateway uses to configure client-side SSL authentication for sending requests to the integration endpoint. +The `AWS::ApiGateway::ClientCertificate` resource creates a client certificate that API Gateway uses to configure client-side SSL authentication for sending requests to the integration endpoint. ## Syntax @@ -19,11 +19,13 @@ Ensure that the client certificate exists. ## Parameters -For additional information, see the [AWS documentation on AWS APIGateway ClientCertificate.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html). +This resource does not require any parameters. + +For additional information, see the [AWS documentation on AWS API Gateway client certificate.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html). ## Properties -| Property | Description | Field | +| Property | Description | Field | | --- | --- | --- | | client_certificate_ids | The identifier of the client certificate. | client_certificate_id | | descriptions | The description of the client certificate. | description | @@ -34,14 +36,16 @@ For additional information, see the [AWS documentation on AWS APIGateway ClientC ## Examples -### Ensure a client certificate id is available. +### Ensure a client certificate ID is available. + describe aws_apigateway_client_certificates do - its('client_certificate_ids') { should include 'ClientCertificateID' } + its('client_certificate_ids') { should include 'CLIENT_CERTIFICATE_ID' } end -### Ensure a pem encoded certificate is available. +### Ensure a PEM encoded certificate is available. + describe aws_apigateway_client_certificates do - its('pem_encoded_certificates') { should include 'PemEncodedCertificate' } + its('pem_encoded_certificates') { should include 'PEM_ENCODED_CERTIFICATE' } end ## Matchers @@ -66,4 +70,4 @@ Use `should_not` to test the entity does not exist. ## AWS Permissions -Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `APIGateway:Client:ClientCertificate` action with `Effect` set to `Allow`. \ No newline at end of file +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `APIGateway:Client:ClientCertificate` action with `Effect` set to `Allow`.