From 6c41e8e42c7b236a20156fb4c777e8107e180362 Mon Sep 17 00:00:00 2001 From: Nirbhay Kumar Date: Thu, 28 Oct 2021 01:31:12 +0530 Subject: [PATCH 01/14] added singular and plural resource Signed-off-by: Nirbhay Kumar --- docs/resources/aws_ec2_client_vpn_endpoint.md | 109 ++++++++++++++++++ .../resources/aws_ec2_client_vpn_endpoints.md | 105 +++++++++++++++++ docs/resources/aws_ec2_vpn_endpoint.md | 0 docs/resources/aws_ec2_vpn_endpoints.md | 0 libraries/aws_ec2_client_vpn_endpoint.rb | 40 +++++++ libraries/aws_ec2_client_vpn_endpoints.rb | 57 +++++++++ .../verify/controls/aws_ec2_vpn_endpoint.rb | 0 .../verify/controls/aws_ec2_vpn_endpoints.rb | 0 .../aws_ec2_client_vpn_endpoint_test.rb | 70 +++++++++++ .../aws_ec2_client_vpn_endpoints_test.rb | 58 ++++++++++ 10 files changed, 439 insertions(+) create mode 100644 docs/resources/aws_ec2_client_vpn_endpoint.md create mode 100644 docs/resources/aws_ec2_client_vpn_endpoints.md create mode 100644 docs/resources/aws_ec2_vpn_endpoint.md create mode 100644 docs/resources/aws_ec2_vpn_endpoints.md create mode 100644 libraries/aws_ec2_client_vpn_endpoint.rb create mode 100644 libraries/aws_ec2_client_vpn_endpoints.rb create mode 100644 test/integration/verify/controls/aws_ec2_vpn_endpoint.rb create mode 100644 test/integration/verify/controls/aws_ec2_vpn_endpoints.rb create mode 100644 test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb create mode 100644 test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb diff --git a/docs/resources/aws_ec2_client_vpn_endpoint.md b/docs/resources/aws_ec2_client_vpn_endpoint.md new file mode 100644 index 000000000..b1237e38d --- /dev/null +++ b/docs/resources/aws_ec2_client_vpn_endpoint.md @@ -0,0 +1,109 @@ +--- +title: About the aws_ec2_client_vpn_endpoint Resource +platform: aws +--- + +# aws_ec2_client_vpn_endpoint + +Use the `aws_ec2_client_vpn_endpoint` InSpec audit resource to test properties of a single specific AWS EC2 Client Vpn Endpoint. + +The AWS::EC2::ClientVpnEndpoint specifies a Client VPN endpoint. + +## Syntax + +Ensure that the client vpn endpoint exists. + + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should exist } + end + +## Parameters + +`client_vpn_endpoint_id` _(required)_ + +The ID of the Client VPN endpoint. + +For additional information, see the [AWS documentation on AWS EC2 ClientVpnEndpoint.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnendpoint.html). + +## Properties + +| Property | Description | Field | +| --- | --- | --- | +| client_vpn_endpoint_id | The ID of the Client VPN endpoint. | +| description | A brief description of the endpoint. | +| status.code | The state of the Client VPN endpoint. | +| status.message | A message about the status of the Client VPN endpoint. | +| creation_time | The date and time the Client VPN endpoint was created. | +| deletion_time | The date and time the Client VPN endpoint was deleted, if applicable. | +| dns_name | The DNS name to be used by clients when connecting to the Client VPN endpoint. | +| client_cidr_block | The IPv4 address range, in CIDR notation, from which client IP addresses are assigned. | +| dns_servers | Information about the DNS servers to be used for DNS resolution. | +| split_tunnel | Indicates whether split-tunnel is enabled in the Client VPN endpoint. | +| vpn_protocol | The protocol used by the VPN session. | +| transport_protocol | The transport protocol used by the Client VPN endpoint. | +| vpn_port | The port number for the Client VPN endpoint. | +| associated_target_networks | Information about the associated target networks. A target network is a subnet in a VPC. | +| associated_target_network_id | The ID of the subnet. | +| associated_target_network_type | The target network type. | +| server_certificate_arn | The ARN of the server certificate. | +| authentication_options | Information about the authentication method used by the Client VPN endpoint. | +| authentication_options_types | The authentication type used. | +| authentication_options_active_directory_ids | The ID of the Active Directory used for authentication. | +| authentication_options_mutual_authentication.client_root_certificate_chains | The ARN of the client certificate. | +| authentication_options_federated_authentication_saml_provider_arns | The Amazon Resource Name (ARN) of the IAM SAML identity provider. | +| authentication_options_federated_authentication_self_service_saml_provider_arns | The Amazon Resource Name (ARN) of the IAM SAML identity provider for the self-service portal. | +| connection_log_options_enabled | Indicates whether client connection logging is enabled for the Client VPN endpoint. | +| connection_log_options_cloudwatch_log_groups | The name of the Amazon CloudWatch Logs log group to which connection logging data is published. | +| connection_log_options_cloudwatch_log_streams | The name of the Amazon CloudWatch Logs log stream to which connection logging data is published. | +| tags | Describes a tag. | +| security_group_ids | The IDs of the security groups for the target network. | +| vpc_id | The ID of the VPC. | +| self_service_portal_url | The URL of the self-service portal. | +| client_connect_options_enabled | Indicates whether client connect options are enabled. | +| client_connect_options_lambda_function_arns | The Amazon Resource Name (ARN) of the Lambda function used for connection authorization. | +| client_connect_options_status_codes | The status code. | +| client_connect_options_status_messages | The status message. | + +## Examples + +### Ensure a client vpn endpoint id is available. + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + its('client_vpn_endpoint_id') { should eq 'CLIENT_VPN_ENDPOINT_ID' } + end + +### Ensure that the status code is `available`. + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + its('status.code') { should eq 'available' } + end + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should exist } + end + +Use `should_not` to test the entity does not exist. + + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should_not exist } + end + +### be_available + +Use `should` to check if the entity is available. + + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do + it { should be_available } + end + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EC2:Client:DescribeClientVpnEndpointsResult` action with `Effect` set to `Allow`. \ No newline at end of file diff --git a/docs/resources/aws_ec2_client_vpn_endpoints.md b/docs/resources/aws_ec2_client_vpn_endpoints.md new file mode 100644 index 000000000..9abf5cc99 --- /dev/null +++ b/docs/resources/aws_ec2_client_vpn_endpoints.md @@ -0,0 +1,105 @@ +--- +title: About the aws_ec2_client_vpn_endpoints Resource +platform: aws +--- + +# aws_ec2_client_vpn_endpoints + +Use the `aws_ec2_client_vpn_endpoints` InSpec audit resource to test properties of a single specific AWS EC2 Client Vpn Endpoint. + +The AWS::EC2::ClientVpnEndpoint specifies a Client VPN endpoint. + +## Syntax + +Ensure that the client vpn endpoint exists. + + describe aws_ec2_client_vpn_endpoints do + it { should exist } + end + +## Parameters + +For additional information, see the [AWS documentation on AWS EC2 ClientVpnEndpoint.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnendpoint.html). + +## Properties + +| Property | Description | Field | +| --- | --- | --- | +| client_vpn_endpoint_ids | The ID of the Client VPN endpoint. | client_vpn_endpoint_id | +| descriptions | A brief description of the endpoint. | description | +| status_codes | The state of the Client VPN endpoint. | status.code | +| status_messages | A message about the status of the Client VPN endpoint. | status.message | +| creation_times | The date and time the Client VPN endpoint was created. | creation_time | +| deletion_times | The date and time the Client VPN endpoint was deleted, if applicable. | deletion_time | +| dns_names | The DNS name to be used by clients when connecting to the Client VPN endpoint. | dns_name | +| client_cidr_blocks | The IPv4 address range, in CIDR notation, from which client IP addresses are assigned. | client_cidr_block | +| dns_servers | Information about the DNS servers to be used for DNS resolution. | dns_servers | +| split_tunnels | Indicates whether split-tunnel is enabled in the Client VPN endpoint. | split_tunnel | +| vpn_protocols | The protocol used by the VPN session. | vpn_protocol | +| transport_protocols | The transport protocol used by the Client VPN endpoint. | transport_protocol | +| vpn_ports | The port number for the Client VPN endpoint. | vpn_port | +| associated_target_networks | Information about the associated target networks. A target network is a subnet in a VPC. | associated_target_networks | +| associated_target_network_id | The ID of the subnet. | network_id | +| associated_target_network_type | The target network type. | network_type | +| server_certificate_arns | The ARN of the server certificate. | server_certificate_arn | +| authentication_options | Information about the authentication method used by the Client VPN endpoint. | authentication_options | +| authentication_options_types | The authentication type used. | type | +| authentication_options_active_directory_ids | The ID of the Active Directory used for authentication. | directory_id | +| authentication_options_mutual_authentication.client_root_certificate_chains | The ARN of the client certificate. | client_root_certificate_chain | +| authentication_options_federated_authentication_saml_provider_arns | The Amazon Resource Name (ARN) of the IAM SAML identity provider. | saml_provider_arn | +| authentication_options_federated_authentication_self_service_saml_provider_arns | The Amazon Resource Name (ARN) of the IAM SAML identity provider for the self-service portal. | self_service_saml_provider_arn | +| connection_log_options_enabled | Indicates whether client connection logging is enabled for the Client VPN endpoint. | enabled | +| connection_log_options_cloudwatch_log_groups | The name of the Amazon CloudWatch Logs log group to which connection logging data is published. | cloudwatch_log_group | +| connection_log_options_cloudwatch_log_streams | The name of the Amazon CloudWatch Logs log stream to which connection logging data is published. | cloudwatch_log_stream | +| tags | Describes a tag. | tags | +| security_group_ids | The IDs of the security groups for the target network. | security_group_ids | +| vpc_id | The ID of the VPC. | vpc_id | +| self_service_portal_url | The URL of the self-service portal. | self_service_portal_url | +| client_connect_options_enabled | Indicates whether client connect options are enabled. | enabled | +| client_connect_options_lambda_function_arns | The Amazon Resource Name (ARN) of the Lambda function used for connection authorization. | lambda_function_arn | +| client_connect_options_status_codes | The status code. | status.code | +| client_connect_options_status_messages | The status message. | status.message | + +## Examples + +### Ensure a client vpn endpoint id is available. + describe aws_ec2_client_vpn_endpoints do + its('client_vpn_endpoint_ids') { should include 'CLIENT_VPN_ENDPOINT_ID' } + end + +### Ensure that the status code is `available`. + describe aws_ec2_client_vpn_endpoints do + its('status_codes') { should include 'available' } + end + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `describe` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + + describe aws_ec2_client_vpn_endpoints do + it { should exist } + end + +Use `should_not` to test the entity does not exist. + + describe aws_ec2_client_vpn_endpoints do + it { should_not exist } + end + +### be_available + +Use `should` to check if the entity is available. + + describe aws_ec2_client_vpn_endpoints do + it { should be_available } + end + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EC2:Client:DescribeClientVpnEndpointsResult` action with `Effect` set to `Allow`. \ No newline at end of file diff --git a/docs/resources/aws_ec2_vpn_endpoint.md b/docs/resources/aws_ec2_vpn_endpoint.md new file mode 100644 index 000000000..e69de29bb diff --git a/docs/resources/aws_ec2_vpn_endpoints.md b/docs/resources/aws_ec2_vpn_endpoints.md new file mode 100644 index 000000000..e69de29bb diff --git a/libraries/aws_ec2_client_vpn_endpoint.rb b/libraries/aws_ec2_client_vpn_endpoint.rb new file mode 100644 index 000000000..1ad599343 --- /dev/null +++ b/libraries/aws_ec2_client_vpn_endpoint.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: true + +require 'aws_backend' + +class AWSEC2ClientVPNEndpoint < AwsResourceBase + name 'aws_ec2_client_vpn_endpoint' + desc 'Describes a VPN endpoint.' + + example " + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: 'CLIENT_VPN_ENDPOINT_ID') do + it { should exist } + end + " + + def initialize(opts = {}) + opts = { client_vpn_endpoint_id: opts } if opts.is_a?(String) + super(opts) + validate_parameters(required: [:client_vpn_endpoint_id]) + raise ArgumentError, "#{@__resource_name__}: client_vpn_endpoint_id must be provided" unless opts[:client_vpn_endpoint_id] && !opts[:client_vpn_endpoint_id].empty? + @display_name = opts[:client_vpn_endpoint_id] + catch_aws_errors do + resp = @aws.compute_client.describe_client_vpn_endpoints({ client_vpn_endpoint_ids: [opts[:client_vpn_endpoint_id]] }) + @res = resp.client_vpn_endpoints[0].to_h + create_resource_methods(@res) + end + end + + def client_vpn_endpoint_id + return nil unless exists? + @res[:client_vpn_endpoint_id] + end + + def exists? + !@res.nil? && !@res.empty? + end + + def to_s + "Client VPN Endpoint ID: #{@display_name}" + end +end diff --git a/libraries/aws_ec2_client_vpn_endpoints.rb b/libraries/aws_ec2_client_vpn_endpoints.rb new file mode 100644 index 000000000..4fdc3de94 --- /dev/null +++ b/libraries/aws_ec2_client_vpn_endpoints.rb @@ -0,0 +1,57 @@ +# frozen_string_literal: true + +require 'aws_backend' + +class AWSEC2ClientVPNEndpoints < AwsResourceBase + name 'aws_ec2_client_vpn_endpoints' + desc 'Describes all the VPN endpoint.' + + example " + describe aws_ec2_client_vpn_endpoints do + it { should exist } + end + " + + attr_reader :table + + FilterTable.create + .register_column(:client_vpn_endpoint_ids, field: :client_vpn_endpoint_id) + .register_column(:descriptions, field: :description) + .register_column(:creation_time, field: :creation_time) + .register_column(:deletion_time, field: :deletion_time) + .register_column(:dns_names, field: :dns_name) + .register_column(:split_tunnels, field: :split_tunnel) + .register_column(:vpn_protocols, field: :vpn_protocol) + .register_column(:transport_protocols, field: :transport_protocol) + .register_column(:vpn_ports, field: :vpn_port) + .register_column(:server_certificate_arns, field: :server_certificate_arn) + .register_column(:tags, field: :tags) + .install_filter_methods_on_resource(self, :table) + + def initialize(opts = {}) + super(opts) + validate_parameters + @table = fetch_data + end + + def fetch_data + catch_aws_errors do + @table = @aws.compute_client.describe_client_vpn_endpoints.map do |resp| + resp.client_vpn_endpoints.map { |resp_name| { + client_vpn_endpoint_id: resp_name.client_vpn_endpoint_id, + description: resp_name.description, + creation_time: resp_name.creation_time, + deletion_time: resp_name.deletion_time, + dns_name: resp_name.dns_name, + split_tunnel: resp_name.split_tunnel, + vpn_protocol: resp_name.vpn_protocol, + transport_protocol: resp_name.transport_protocol, + vpn_port: resp_name.vpn_port, + server_certificate_arn: resp_name.server_certificate_arn, + tags: resp_name.tags, + } + } + end.flatten + end + end +end diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb new file mode 100644 index 000000000..e69de29bb diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb new file mode 100644 index 000000000..e69de29bb diff --git a/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb b/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb new file mode 100644 index 000000000..0fe8fd1ca --- /dev/null +++ b/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb @@ -0,0 +1,70 @@ +require 'helper' +require 'aws_ec2_client_vpn_endpoint' +require 'aws-sdk-core' + +class AWSEC2ClientVPNEndpointConstructorTest < Minitest::Test + def test_empty_params_not_ok + assert_raises(ArgumentError) { AWSEC2ClientVPNEndpoint.new(client_args: { stub_responses: true }) } + end + + def test_accepts_vpc_endpoint_id_as_hash_eight_sign + AWSEC2ClientVPNEndpoint.new(client_vpn_endpoint_id: 'test', client_args: { stub_responses: true }) + end + + def test_accepts_vpc_endpoint_id_as_hash + AWSEC2ClientVPNEndpoint.new(client_vpn_endpoint_id: 'test', client_args: { stub_responses: true }) + end + + def test_rejects_unrecognized_params + assert_raises(ArgumentError) { AWSEC2ClientVPNEndpoint.new(rubbish: 9) } + end +end + +class AWSEC2ClientVPNEndpointPathTest < Minitest::Test + def setup + data = {} + data[:method] = :describe_client_vpn_endpoints + mock_data = {} + mock_data[:client_vpn_endpoint_id] = "test" + mock_data[:description] = 'test' + mock_data[:dns_name] = 'test' + mock_data[:client_cidr_block] = 'test' + mock_data[:dns_servers] = ['vpc'] + mock_data[:split_tunnel] = true + data[:data] = { client_vpn_endpoints: [mock_data] } + data[:client] = Aws::EC2::Client + @resp = AWSEC2ClientVPNEndpoint.new(client_vpn_endpoint_id: "test", client_args: { stub_responses: true }, stub_data: [data]) + end + + def test_client_vpn_endpoint_id_exists + assert @resp.exists? + end + + def test_client_vpn_endpoint_id_available + assert @resp.available? + end + + def test_client_vpn_endpoint_id + assert_equal(@resp.client_vpn_endpoint_id, 'test') + end + + def test_description + assert_equal(@resp.description, 'test') + end + + def test_dns_name + assert_equal(@resp.dns_name, 'test') + end + + def test_client_cidr_block + assert_equal(@resp.client_cidr_block, 'test') + end + + def test_dns_servers + assert_equal(@resp.dns_servers, ["vpc"]) + end + + def test_split_tunnel + assert_equal(@resp.split_tunnel, true) + end +end diff --git a/test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb b/test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb new file mode 100644 index 000000000..b1a54a0ed --- /dev/null +++ b/test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb @@ -0,0 +1,58 @@ +require 'helper' +require 'aws_ec2_client_vpn_endpoints' +require 'aws-sdk-core' + +class AWSEC2ClientVPNEndpointsConstructorTest < Minitest::Test + def test_empty_params_ok + AWSEC2ClientVPNEndpoints.new(client_args: { stub_responses: true }) + end + + def test_rejects_other_args + assert_raises(ArgumentError) { AWSEC2ClientVPNEndpoints.new('rubbish') } + end + + def test_vpcs_non_existing_for_empty_response + refute AWSEC2ClientVPNEndpoints.new(client_args: { stub_responses: true }).exist? + end +end + +class AWSEC2ClientVPNEndpointsPathTest < Minitest::Test +def setup + data = {} + data[:method] = :describe_client_vpn_endpoints + mock_data = {} + mock_data[:client_vpn_endpoint_id] = "test" + mock_data[:description] = 'test' + mock_data[:dns_name] = 'test' + mock_data[:client_cidr_block] = 'test' + mock_data[:dns_servers] = ['vpc'] + mock_data[:split_tunnel] = true + data[:data] = { client_vpn_endpoints: [mock_data] } + data[:client] = Aws::EC2::Client + @resp = AWSEC2ClientVPNEndpoints.new(client_args: { stub_responses: true }, stub_data: [data]) +end + +def test_client_vpn_endpoint_id_exists + assert @resp.exists? +end + +def test_client_vpn_endpoint_id_available + assert @resp.available? +end + +def test_client_vpn_endpoint_id + assert_equal(@resp.client_vpn_endpoint_ids, ['test']) +end + +def test_description + assert_equal(@resp.descriptions, ['test']) +end + +def test_dns_name + assert_equal(@resp.dns_names, ['test']) +end + +def test_split_tunnel + assert_equal(@resp.split_tunnels, [true]) +end +end From 61d9c66c349ab65cacff976d6c6c4d8dffd50527 Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> Date: Thu, 28 Oct 2021 09:35:18 +0530 Subject: [PATCH 02/14] Delete aws_ec2_vpn_endpoint.md --- docs/resources/aws_ec2_vpn_endpoint.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 docs/resources/aws_ec2_vpn_endpoint.md diff --git a/docs/resources/aws_ec2_vpn_endpoint.md b/docs/resources/aws_ec2_vpn_endpoint.md deleted file mode 100644 index e69de29bb..000000000 From 325646abe5adafe63e4dc356db6617b447606b9a Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> Date: Thu, 28 Oct 2021 09:35:28 +0530 Subject: [PATCH 03/14] Delete aws_ec2_vpn_endpoints.rb --- test/integration/verify/controls/aws_ec2_vpn_endpoints.rb | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 test/integration/verify/controls/aws_ec2_vpn_endpoints.rb diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb deleted file mode 100644 index e69de29bb..000000000 From 4bbbafc904c83db415d6956bff1c22e2502dc168 Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> Date: Thu, 28 Oct 2021 09:35:55 +0530 Subject: [PATCH 04/14] Delete aws_ec2_vpn_endpoints.md --- docs/resources/aws_ec2_vpn_endpoints.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 docs/resources/aws_ec2_vpn_endpoints.md diff --git a/docs/resources/aws_ec2_vpn_endpoints.md b/docs/resources/aws_ec2_vpn_endpoints.md deleted file mode 100644 index e69de29bb..000000000 From 11f45f6aa1db26bb5b9621c774fae1d1ff79c407 Mon Sep 17 00:00:00 2001 From: Nirbhay Kumar Date: Thu, 28 Oct 2021 16:28:54 +0530 Subject: [PATCH 05/14] added inegration tests Signed-off-by: Nirbhay Kumar --- .../verify/controls/aws_ec2_vpn_endpoint.rb | 17 +++++++++++++++++ .../verify/controls/aws_ec2_vpn_endpoints.rb | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb index e69de29bb..afa082571 100644 --- a/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb +++ b/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true +client_vpn_endpoint_id = attribute('client_vpn_endpoint_id', value: '', description: '') +control 'aws_ec2_client_vpn_endpoint-1.0' do + impact 1.0 + title 'Test the properties of the vpn endpoint.' + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: client_vpn_endpoint_id) do + it { should exist } + its('client_vpn_endpoint_id') { should eq client_vpn_endpoint_id } + its('description') { should eq "Example Client VPN endpoint" } + its('dns_name') { should eq '*.cvpn-endpoint-08720d356dd9928c8.prod.clientvpn.us-east-2.amazonaws.com' } + its('split_tunnel') { should eq false } + its('vpn_protocol') { should eq 'openvpn' } + its('transport_protocol') { should eq 'udp' } + its('vpn_port') { should eq 44375 } + its('server_certificate_arn') { should eq 'arn:aws:acm:us-east-2:112758395563:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } + end +end \ No newline at end of file diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb index e69de29bb..ac58e84ab 100644 --- a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb +++ b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true +client_vpn_endpoint_id = attribute('client_vpn_endpoint_id', value: '', description: '') +control 'aws_ec2_client_vpn_endpoints-1.0' do + impact 1.0 + title 'Test the properties of the vpn endpoints.' + describe aws_ec2_client_vpn_endpoints do + it { should exist } + its('client_vpn_endpoint_ids') { should include client_vpn_endpoint_id } + its('descriptions') { should include "Example Client VPN endpoint" } + its('dns_names') { should include '*.cvpn-endpoint-08720d356dd9928c8.prod.clientvpn.us-east-2.amazonaws.com' } + its('split_tunnels') { should include false } + its('vpn_protocols') { should include 'openvpn' } + its('transport_protocols') { should include 'udp' } + its('vpn_ports') { should include 44365 } + its('server_certificate_arns') { should include 'arn:aws:acm:us-east-2:9999999999:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } + end +end From e62cfe0e1435cbd070101dba14d54d0b557384f2 Mon Sep 17 00:00:00 2001 From: Nirbhay Kumar Date: Thu, 28 Oct 2021 16:30:52 +0530 Subject: [PATCH 06/14] added inegration tests Signed-off-by: Nirbhay Kumar --- test/integration/build/aws.tf | 32 ++++++++++++++++++++++++++++++- test/integration/build/outputs.tf | 14 +++++++++++++- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/test/integration/build/aws.tf b/test/integration/build/aws.tf index 25d6fc3f6..462708bc3 100644 --- a/test/integration/build/aws.tf +++ b/test/integration/build/aws.tf @@ -4344,4 +4344,34 @@ resource "aws_db_cluster_snapshot" "aws_db_cluster_snapshot_test" { resource "aws_placement_group" "web" { name = "test_placement_group" strategy = "cluster" -} \ No newline at end of file +} + +## VPN Endpoints +resource "aws_ec2_client_vpn_route" "test-route" { + client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.test-endpoint.id + destination_cidr_block = "0.0.0.0/0" + target_vpc_subnet_id = aws_ec2_client_vpn_network_association.test-association.subnet_id +} + +resource "aws_ec2_client_vpn_network_association" "test-association" { + client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.test-endpoint.id + subnet_id = "subnet-700ff218" +} + +resource "aws_ec2_client_vpn_endpoint" "test-endpoint" { + description = "Example Client VPN endpoint" + server_certificate_arn = "arn:aws:acm:us-east-2:112758395563:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb" + client_cidr_block = "10.0.0.0/16" + + authentication_options { + type = "certificate-authentication" + root_certificate_chain_arn = "arn:aws:acm:us-east-2:112758395563:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb" + } + + connection_log_options { + enabled = false + } +} + + + diff --git a/test/integration/build/outputs.tf b/test/integration/build/outputs.tf index 9b4cdf8b2..2e88f460d 100644 --- a/test/integration/build/outputs.tf +++ b/test/integration/build/outputs.tf @@ -935,4 +935,16 @@ output "aws_db_cluster_snapshot_storage_encrypted" { output "aws_placement_group_name" { value = aws_placement_group.web.name -} \ No newline at end of file +} + +output "client_vpn_endpoint_id" { + value = aws_ec2_client_vpn_endpoint.test-endpoint.id +} + +output "association_id" { + value = aws_ec2_client_vpn_network_association.test-association.id +} + +output "target_vpc_subnet_id" { + value = aws_ec2_client_vpn_route.test-route.id +} From ffde8f6bc0bf29d1b120baf2ba81a5b0df82895c Mon Sep 17 00:00:00 2001 From: NIRBHAY KUMAR <42607997+Nirbhay1997@users.noreply.github.com> Date: Thu, 28 Oct 2021 17:09:50 +0530 Subject: [PATCH 07/14] Update docs/resources/aws_ec2_client_vpn_endpoint.md Co-authored-by: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> --- docs/resources/aws_ec2_client_vpn_endpoint.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/resources/aws_ec2_client_vpn_endpoint.md b/docs/resources/aws_ec2_client_vpn_endpoint.md index b1237e38d..ec1d0048e 100644 --- a/docs/resources/aws_ec2_client_vpn_endpoint.md +++ b/docs/resources/aws_ec2_client_vpn_endpoint.md @@ -27,8 +27,8 @@ For additional information, see the [AWS documentation on AWS EC2 ClientVpnEndpo ## Properties -| Property | Description | Field | -| --- | --- | --- | +| Property | Description | +| --- | --- | | client_vpn_endpoint_id | The ID of the Client VPN endpoint. | | description | A brief description of the endpoint. | | status.code | The state of the Client VPN endpoint. | From c3fa006167b9cefc13e4900a13093a381e1cbec9 Mon Sep 17 00:00:00 2001 From: NIRBHAY KUMAR <42607997+Nirbhay1997@users.noreply.github.com> Date: Thu, 28 Oct 2021 17:09:58 +0530 Subject: [PATCH 08/14] Update test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb Co-authored-by: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> --- test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb b/test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb index b1a54a0ed..5ed9af1b3 100644 --- a/test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb +++ b/test/unit/resources/aws_ec2_client_vpn_endpoints_test.rb @@ -11,7 +11,7 @@ def test_rejects_other_args assert_raises(ArgumentError) { AWSEC2ClientVPNEndpoints.new('rubbish') } end - def test_vpcs_non_existing_for_empty_response + def test_client_vpn_endpoints_non_existing_for_empty_response refute AWSEC2ClientVPNEndpoints.new(client_args: { stub_responses: true }).exist? end end From 7bbeed43e6b6898f32abf115dbadc18e0bb7bdd7 Mon Sep 17 00:00:00 2001 From: NIRBHAY KUMAR <42607997+Nirbhay1997@users.noreply.github.com> Date: Thu, 28 Oct 2021 17:10:05 +0530 Subject: [PATCH 09/14] Update test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb Co-authored-by: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> --- test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb b/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb index 0fe8fd1ca..ae2a08ed8 100644 --- a/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb +++ b/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb @@ -7,7 +7,7 @@ def test_empty_params_not_ok assert_raises(ArgumentError) { AWSEC2ClientVPNEndpoint.new(client_args: { stub_responses: true }) } end - def test_accepts_vpc_endpoint_id_as_hash_eight_sign + def test_accepts_client_vpn_endpoint_id_as_hash_eight_sign AWSEC2ClientVPNEndpoint.new(client_vpn_endpoint_id: 'test', client_args: { stub_responses: true }) end From 321ad10c0833ef8cf909d3b932c16c5b179908ec Mon Sep 17 00:00:00 2001 From: NIRBHAY KUMAR <42607997+Nirbhay1997@users.noreply.github.com> Date: Thu, 28 Oct 2021 17:10:11 +0530 Subject: [PATCH 10/14] Update test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb Co-authored-by: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> --- test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb b/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb index ae2a08ed8..f667b899a 100644 --- a/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb +++ b/test/unit/resources/aws_ec2_client_vpn_endpoint_test.rb @@ -11,7 +11,7 @@ def test_accepts_client_vpn_endpoint_id_as_hash_eight_sign AWSEC2ClientVPNEndpoint.new(client_vpn_endpoint_id: 'test', client_args: { stub_responses: true }) end - def test_accepts_vpc_endpoint_id_as_hash + def test_accepts_client_vpn_endpoint_id_as_hash AWSEC2ClientVPNEndpoint.new(client_vpn_endpoint_id: 'test', client_args: { stub_responses: true }) end From 19e3500b1d8e436ba0eed053126da373c6a1a5ff Mon Sep 17 00:00:00 2001 From: Nirbhay Kumar Date: Thu, 28 Oct 2021 18:14:46 +0530 Subject: [PATCH 11/14] typo fix Signed-off-by: Nirbhay Kumar --- .../verify/controls/aws_ec2_vpn_endpoint.rb | 10 ++++++---- .../verify/controls/aws_ec2_vpn_endpoints.rb | 8 +++++--- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb index afa082571..64e437f10 100644 --- a/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb +++ b/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb @@ -1,17 +1,19 @@ # frozen_string_literal: true client_vpn_endpoint_id = attribute('client_vpn_endpoint_id', value: '', description: '') -control 'aws_ec2_client_vpn_endpoint-1.0' do + +skip_control 'aws_ec2_client_vpn_endpoint-1.0' do impact 1.0 title 'Test the properties of the vpn endpoint.' + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: client_vpn_endpoint_id) do it { should exist } its('client_vpn_endpoint_id') { should eq client_vpn_endpoint_id } its('description') { should eq "Example Client VPN endpoint" } - its('dns_name') { should eq '*.cvpn-endpoint-08720d356dd9928c8.prod.clientvpn.us-east-2.amazonaws.com' } + its('dns_name') { should_not eq '*.cvpn-endpoint-9999999999.prod.clientvpn.us-east-2.amazonaws.com' } its('split_tunnel') { should eq false } its('vpn_protocol') { should eq 'openvpn' } its('transport_protocol') { should eq 'udp' } - its('vpn_port') { should eq 44375 } - its('server_certificate_arn') { should eq 'arn:aws:acm:us-east-2:112758395563:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } + its('vpn_port') { should_not eq 44375 } + its('server_certificate_arn') { should_not eq 'arn:aws:acm:us-east-2:999999999999:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } end end \ No newline at end of file diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb index ac58e84ab..ca29ebfde 100644 --- a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb +++ b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb @@ -1,17 +1,19 @@ # frozen_string_literal: true client_vpn_endpoint_id = attribute('client_vpn_endpoint_id', value: '', description: '') + control 'aws_ec2_client_vpn_endpoints-1.0' do impact 1.0 title 'Test the properties of the vpn endpoints.' + describe aws_ec2_client_vpn_endpoints do it { should exist } its('client_vpn_endpoint_ids') { should include client_vpn_endpoint_id } its('descriptions') { should include "Example Client VPN endpoint" } - its('dns_names') { should include '*.cvpn-endpoint-08720d356dd9928c8.prod.clientvpn.us-east-2.amazonaws.com' } + its('dns_names') { should_not include '*.cvpn-endpoint-99999999999.prod.clientvpn.us-east-2.amazonaws.com' } its('split_tunnels') { should include false } its('vpn_protocols') { should include 'openvpn' } its('transport_protocols') { should include 'udp' } - its('vpn_ports') { should include 44365 } - its('server_certificate_arns') { should include 'arn:aws:acm:us-east-2:9999999999:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } + its('vpn_ports') { should_not include 44365 } + its('server_certificate_arns') { should_not include 'arn:aws:acm:us-east-2:9999999999:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } end end From e4e2ca8c7d6974dc03f39ce0a36db94a2b4303c4 Mon Sep 17 00:00:00 2001 From: Nirbhay Kumar Date: Thu, 28 Oct 2021 18:15:44 +0530 Subject: [PATCH 12/14] typo fix Signed-off-by: Nirbhay Kumar --- test/integration/verify/controls/aws_ec2_vpn_endpoints.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb index ca29ebfde..ce9150b73 100644 --- a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb +++ b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true client_vpn_endpoint_id = attribute('client_vpn_endpoint_id', value: '', description: '') -control 'aws_ec2_client_vpn_endpoints-1.0' do +skip_control 'aws_ec2_client_vpn_endpoints-1.0' do impact 1.0 title 'Test the properties of the vpn endpoints.' From a0e0f82f957ba1f111f75ba3bcc3883495ef88cc Mon Sep 17 00:00:00 2001 From: Nirbhay Kumar Date: Thu, 28 Oct 2021 18:22:34 +0530 Subject: [PATCH 13/14] typo fix Signed-off-by: Nirbhay Kumar --- test/integration/verify/controls/aws_ec2_vpn_endpoint.rb | 4 ++-- test/integration/verify/controls/aws_ec2_vpn_endpoints.rb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb index 64e437f10..a711284cc 100644 --- a/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb +++ b/test/integration/verify/controls/aws_ec2_vpn_endpoint.rb @@ -9,11 +9,11 @@ it { should exist } its('client_vpn_endpoint_id') { should eq client_vpn_endpoint_id } its('description') { should eq "Example Client VPN endpoint" } - its('dns_name') { should_not eq '*.cvpn-endpoint-9999999999.prod.clientvpn.us-east-2.amazonaws.com' } + its('dns_name') { should_not eq '*.cvpn-endpoint-1234567890.prod.clientvpn.us-east-2.amazonaws.com' } its('split_tunnel') { should eq false } its('vpn_protocol') { should eq 'openvpn' } its('transport_protocol') { should eq 'udp' } its('vpn_port') { should_not eq 44375 } - its('server_certificate_arn') { should_not eq 'arn:aws:acm:us-east-2:999999999999:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } + its('server_certificate_arn') { should_not eq 'arn:aws:acm:us-east-2:1234567890:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } end end \ No newline at end of file diff --git a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb index ce9150b73..e69b5204c 100644 --- a/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb +++ b/test/integration/verify/controls/aws_ec2_vpn_endpoints.rb @@ -9,11 +9,11 @@ it { should exist } its('client_vpn_endpoint_ids') { should include client_vpn_endpoint_id } its('descriptions') { should include "Example Client VPN endpoint" } - its('dns_names') { should_not include '*.cvpn-endpoint-99999999999.prod.clientvpn.us-east-2.amazonaws.com' } + its('dns_names') { should_not include '*.cvpn-endpoint-1234567890.prod.clientvpn.us-east-2.amazonaws.com' } its('split_tunnels') { should include false } its('vpn_protocols') { should include 'openvpn' } its('transport_protocols') { should include 'udp' } its('vpn_ports') { should_not include 44365 } - its('server_certificate_arns') { should_not include 'arn:aws:acm:us-east-2:9999999999:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } + its('server_certificate_arns') { should_not include 'arn:aws:acm:us-east-2:1234567890:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb' } end end From d3e959aff729cb2581ad8995344d3ccede72e0d0 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Thu, 28 Oct 2021 11:45:20 -0600 Subject: [PATCH 14/14] Docs edits Signed-off-by: Ian Maddaus --- docs/resources/aws_ec2_client_vpn_endpoint.md | 12 +++++++----- docs/resources/aws_ec2_client_vpn_endpoints.md | 12 +++++++----- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/docs/resources/aws_ec2_client_vpn_endpoint.md b/docs/resources/aws_ec2_client_vpn_endpoint.md index ec1d0048e..068fc846a 100644 --- a/docs/resources/aws_ec2_client_vpn_endpoint.md +++ b/docs/resources/aws_ec2_client_vpn_endpoint.md @@ -5,13 +5,13 @@ platform: aws # aws_ec2_client_vpn_endpoint -Use the `aws_ec2_client_vpn_endpoint` InSpec audit resource to test properties of a single specific AWS EC2 Client Vpn Endpoint. +Use the `aws_ec2_client_vpn_endpoint` InSpec audit resource to test properties of a single specific AWS EC2 Client VPN endpoint. -The AWS::EC2::ClientVpnEndpoint specifies a Client VPN endpoint. +The `AWS::EC2::ClientVpnEndpoint` specifies a Client VPN endpoint. ## Syntax -Ensure that the client vpn endpoint exists. +Ensure that the client VPN endpoint exists. describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do it { should exist } @@ -66,12 +66,14 @@ For additional information, see the [AWS documentation on AWS EC2 ClientVpnEndpo ## Examples -### Ensure a client vpn endpoint id is available. +### Ensure a client VPN endpoint ID is available. + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do its('client_vpn_endpoint_id') { should eq 'CLIENT_VPN_ENDPOINT_ID' } end ### Ensure that the status code is `available`. + describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do its('status.code') { should eq 'available' } end @@ -106,4 +108,4 @@ Use `should` to check if the entity is available. ## AWS Permissions -Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EC2:Client:DescribeClientVpnEndpointsResult` action with `Effect` set to `Allow`. \ No newline at end of file +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EC2:Client:DescribeClientVpnEndpointsResult` action with `Effect` set to `Allow`. diff --git a/docs/resources/aws_ec2_client_vpn_endpoints.md b/docs/resources/aws_ec2_client_vpn_endpoints.md index 9abf5cc99..6a7f3b5a7 100644 --- a/docs/resources/aws_ec2_client_vpn_endpoints.md +++ b/docs/resources/aws_ec2_client_vpn_endpoints.md @@ -5,13 +5,13 @@ platform: aws # aws_ec2_client_vpn_endpoints -Use the `aws_ec2_client_vpn_endpoints` InSpec audit resource to test properties of a single specific AWS EC2 Client Vpn Endpoint. +Use the `aws_ec2_client_vpn_endpoints` InSpec audit resource to test properties of multiple AWS EC2 Client VPN endpoint. -The AWS::EC2::ClientVpnEndpoint specifies a Client VPN endpoint. +The `AWS::EC2::ClientVpnEndpoint` specifies a Client VPN endpoint. ## Syntax -Ensure that the client vpn endpoint exists. +Ensure that the client VPN endpoint exists. describe aws_ec2_client_vpn_endpoints do it { should exist } @@ -23,7 +23,7 @@ For additional information, see the [AWS documentation on AWS EC2 ClientVpnEndpo ## Properties -| Property | Description | Field | +| Property | Description | Field | | --- | --- | --- | | client_vpn_endpoint_ids | The ID of the Client VPN endpoint. | client_vpn_endpoint_id | | descriptions | A brief description of the endpoint. | description | @@ -62,12 +62,14 @@ For additional information, see the [AWS documentation on AWS EC2 ClientVpnEndpo ## Examples -### Ensure a client vpn endpoint id is available. +### Ensure a client VPN endpoint ID is available. + describe aws_ec2_client_vpn_endpoints do its('client_vpn_endpoint_ids') { should include 'CLIENT_VPN_ENDPOINT_ID' } end ### Ensure that the status code is `available`. + describe aws_ec2_client_vpn_endpoints do its('status_codes') { should include 'available' } end