Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
4390 lines (3143 sloc) 114 KB

Resource Types

acm | alb | alb_listener | alb_target_group | ami | apigateway | autoscaling_group | batch_compute_environment | batch_job_definition | batch_job_queue | cloudformation_stack | cloudfront_distribution | cloudtrail | cloudwatch_alarm | cloudwatch_event | cloudwatch_logs | codebuild | codedeploy | codedeploy_deployment_group | cognito_identity_pool | cognito_user_pool | customer_gateway | directconnect_virtual_interface | dynamodb_table | ebs | ec2 | ecr_repository | ecs_cluster | ecs_container_instance | ecs_service | ecs_task_definition | efs | eip | eks | eks_nodegroup | elasticache | elasticache_cache_parameter_group | elasticsearch | elastictranscoder_pipeline | elb | emr | firehose | iam_group | iam_policy | iam_role | iam_user | internet_gateway | kinesis | kms | lambda | launch_configuration | launch_template | mq | msk | nat_gateway | network_acl | network_interface | nlb | nlb_listener | nlb_target_group | rds | rds_db_cluster | rds_db_cluster_parameter_group | rds_db_parameter_group | rds_db_subnet_group | rds_global_cluster | rds_proxy | redshift | redshift_cluster_parameter_group | route53_hosted_zone | route_table | s3_bucket | secretsmanager | security_group | ses_identity | sns_topic | sqs | ssm_parameter | subnet | transfer_server | transit_gateway | vpc | vpc_endpoints | vpn_connection | vpn_gateway | waf_web_acl | wafregional_web_acl | account

acm

Acm resource type.

exist

describe acm('example.com') do
  it { should exist }
end

be_pending_validation, be_issued, be_inactive, be_expired, be_validation_timed_out, be_revoked, be_failed

have_domain_name

have_domain_validation_option

describe acm('example.com') do
  it { should have_domain_validation_option(domain_name: 'example.com', validation_method: 'DNS', validation_status: 'SUCCESS') }
  it { should have_domain_validation_option(domain_name: 'mail.example.com', validation_method: 'EMAIL') }
end

its(:certificate_arn), its(:domain_name), its(:subject_alternative_names), its(:serial), its(:subject), its(:issuer), its(:created_at), its(:issued_at), its(:imported_at), its(:status), its(:revoked_at), its(:revocation_reason), its(:not_before), its(:not_after), its(:key_algorithm), its(:signature_algorithm), its(:in_use_by), its(:failure_reason), its(:type), its(:renewal_summary), its(:key_usages), its(:extended_key_usages), its(:certificate_authority_arn), its(:renewal_eligibility), its(:options)

alb

ALB resource type.

exist

describe alb('my-alb') do
  it { should exist }
end

be_active, be_provisioning, be_failed

describe alb('my-alb') do
  it { should be_active }
end

have_security_group

describe alb('my-alb') do
  it { should have_security_group('sg-1a2b3cd4') }
end

have_subnet

describe alb('my-alb') do
  it { should have_subnet('subnet-1234a567') }
end

have_tag

describe alb('my-alb') do
  it { should have_tag('environment').value('dev') }
end

belong_to_vpc

describe alb('my-alb') do
  it { should belong_to_vpc('my-vpc') }
end

its(:load_balancer_arn), its(:dns_name), its(:canonical_hosted_zone_id), its(:created_time), its(:load_balancer_name), its(:scheme), its(:vpc_id), its(:type), its(:security_groups), its(:ip_address_type), its(:customer_owned_ipv_4_pool)

alb_listener

AlbListener resource type.

exist

describe alb_listener('arn:aws:elasticloadbalancing:ap-northeast-1:1234567890:listener/app/my-alb/1aa1bb1cc1ddee11/f2f7dc8efc522ab2') do
  it { should exist }
  its(:port) { should eq 80 }
  its(:protocol) { should eq 'HTTP' }
end

have_rule

describe alb_listener('arn:aws:elasticloadbalancing:ap-northeast-1:1234567890:listener/app/my-alb/1aa1bb1cc1ddee11/f2f7dc8efc522ab2') do
  it { should have_rule('arn:aws:elasticloadbalancing:ap-northeast-1:1234567890:listener-rule/app/my-alb/1aa1bb1cc1ddee11/f2f7dc8efc522ab2/9683b2d02a6cabee') }
  it do
    should have_rule.priority('10')
      .conditions(field: 'path-pattern', values: ['/img/*'])
      .actions(target_group_arn: 'arn:aws:elasticloadbalancing:ap-northeast-1:1234567890:123456789012:targetgroup/73e2d6bc24d8a067/73e2d6bc24d8a067', type: 'forward')
  end
  it do
    should have_rule.priority('10')
      .if(field: 'path-pattern', values: ['/img/*'])
      .then(target_group_arn: 'arn:aws:elasticloadbalancing:ap-northeast-1:1234567890:123456789012:targetgroup/73e2d6bc24d8a067/73e2d6bc24d8a067', type: 'forward')
  end
  it { should have_rule.conditions([{ field: 'path-pattern', values: ['/admin/*'] }, { field: 'host-header', values: ['admin.example.com'] }]) }
  it { should have_rule.actions(target_group_name: 'my-alb-target-group', type: 'forward') }
end

its(:listener_arn), its(:load_balancer_arn), its(:port), its(:protocol), its(:certificates), its(:ssl_policy), its(:alpn_policy)

alb_target_group

AlbTargetGroup resource type.

exist

describe alb_target_group('my-alb-target-group') do
  it { should exist }
  its(:health_check_path) { should eq '/' }
  its(:health_check_port) { should eq 'traffic-port' }
  its(:health_check_protocol) { should eq 'HTTP' }
end

have_ec2

describe alb_target_group('my-alb-target-group') do
  it { should have_ec2('my-ec2') }
end

belong_to_alb

describe alb_target_group('my-alb-target-group') do
  it { should belong_to_alb('my-alb') }
end

belong_to_vpc

describe alb_target_group('my-alb-target-group') do
  it { should belong_to_vpc('my-vpc') }
end

its(:target_group_arn), its(:target_group_name), its(:protocol), its(:port), its(:vpc_id), its(:health_check_protocol), its(:health_check_port), its(:health_check_enabled), its(:health_check_interval_seconds), its(:health_check_timeout_seconds), its(:healthy_threshold_count), its(:unhealthy_threshold_count), its(:health_check_path), its(:load_balancer_arns), its(:target_type), its(:protocol_version), its(:ip_address_type)

ami

AMI resource type.

exist

describe ami('my-ami') do
  it { should exist }
end

be_pending, be_available, be_invalid, be_deregistered, be_transient, be_failed, be_error

describe ami('my-ami') do
  it { should be_available }
end

have_tag

its(:architecture), its(:creation_date), its(:image_id), its(:image_location), its(:image_type), its(:public), its(:kernel_id), its(:owner_id), its(:platform), its(:platform_details), its(:usage_operation), its(:ramdisk_id), its(:state), its(:description), its(:ena_support), its(:hypervisor), its(:image_owner_alias), its(:name), its(:root_device_name), its(:root_device_type), its(:sriov_net_support), its(:state_reason), its(:virtualization_type), its(:boot_mode), its(:tpm_support), its(:deprecation_time), its(:imds_support)

🔓 Advanced use

ami can use Aws::EC2::Image resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/EC2/Image.html).

apigateway

Apigateway resource type.

exist

describe apigateway('my-apigateway') do
  it { should exist }
end

have_integration_method

have_integration_path

have_method

have_path

its(:id), its(:name), its(:description), its(:created_date), its(:version), its(:warnings), its(:binary_media_types), its(:minimum_compression_size), its(:api_key_source), its(:policy), its(:tags), its(:disable_execute_api_endpoint)

autoscaling_group

AutoscalingGroup resource type.

exist

describe autoscaling_group('my-auto-scaling-group') do
  it { should exist }
end

have_alb_target_group

describe autoscaling_group('my-auto-scaling-group') do
  it { should have_alb_target_group('my-alb-target-group') }
end

have_ec2

describe autoscaling_group('my-auto-scaling-group') do
  it { should have_ec2('my-ec2') }
end

have_elb

describe autoscaling_group('my-auto-scaling-group') do
  it { should have_elb('my-elb') }
end

have_launch_configuration

describe autoscaling_group('my-auto-scaling-group') do
  it { should have_launch_configuration('my-lc') }
end

have_nlb_target_group

have_suspended_process

have_tag

describe autoscaling_group('my-auto-scaling-group') do
  it { should have_tag('Name').value('my-group') }
end

its(:auto_scaling_group_name), its(:auto_scaling_group_arn), its(:launch_configuration_name), its(:launch_template), its(:mixed_instances_policy), its(:min_size), its(:max_size), its(:desired_capacity), its(:predicted_capacity), its(:default_cooldown), its(:availability_zones), its(:load_balancer_names), its(:target_group_arns), its(:health_check_type), its(:health_check_grace_period), its(:created_time), its(:placement_group), its(:vpc_zone_identifier), its(:enabled_metrics), its(:status), its(:termination_policies), its(:new_instances_protected_from_scale_in), its(:service_linked_role_arn), its(:max_instance_lifetime), its(:capacity_rebalance), its(:warm_pool_configuration), its(:warm_pool_size), its(:context), its(:desired_capacity_type), its(:default_instance_warmup), its(:traffic_sources)

batch_compute_environment

BatchComputeEnvironment resource type.

exist

describe batch_compute_environment('my-batch-compute-environment') do
  it { should exist }
end

be_disabled

be_enabled

be_enabled, be_disabled

describe batch_compute_environment('my-batch-compute-environment') do
  it { should be_enabled }
end

be_managed

be_managed, be_unmanaged

describe batch_compute_environment('my-batch-compute-environment') do
  it { should be_managed }
end

be_unmanaged

its(:compute_environment_name), its(:compute_environment_arn), its(:unmanagedv_cpus), its(:ecs_cluster_arn), its(:tags), its(:type), its(:state), its(:status), its(:status_reason), its(:service_role), its(:update_policy), its(:eks_configuration), its(:container_orchestration_type), its(:uuid)

batch_job_definition

BatchJobDefinition resource type.

exist

describe batch_job_definition('my-batch-job-definition') do
  it { should exist }
end

its(:job_definition_name), its(:job_definition_arn), its(:revision), its(:status), its(:type), its(:scheduling_priority), its(:parameters), its(:retry_strategy), its(:timeout), its(:node_properties), its(:tags), its(:propagate_tags), its(:platform_capabilities), its(:eks_properties), its(:container_orchestration_type)

batch_job_queue

BatchJobQueue resource type.

exist

describe batch_job_queue('my-batch-job-queue') do
  it { should exist }
end

be_disabled

be_enabled

have_compute_environment_order

describe batch_job_queue('my-batch-job-queue') do
  it { should have_compute_environment_order('arn:aws:batch:us-east-1:012345678910:compute-environment/C4OnDemand', 1) }
end

its(:job_queue_name), its(:job_queue_arn), its(:state), its(:scheduling_policy_arn), its(:status), its(:status_reason), its(:priority), its(:tags)

cloudformation_stack

CloudformationStack resource type.

exist

describe cloudformation_stack('my-cloudformation-stack') do
  it { should exist }
  its(:stack_status) { should eq 'UPDATE_COMPLETE' }
end

have_tag

describe cloudformation_stack('my-cloudformation-stack') do
  it { should have_tag('env').value('dev') }
end

its(:stack_id), its(:stack_name), its(:change_set_id), its(:description), its(:parameters), its(:creation_time), its(:deletion_time), its(:last_updated_time), its(:rollback_configuration), its(:stack_status), its(:stack_status_reason), its(:disable_rollback), its(:notification_arns), its(:timeout_in_minutes), its(:capabilities), its(:role_arn), its(:enable_termination_protection), its(:parent_id), its(:root_id), its(:drift_information)

cloudfront_distribution

CloudfrontDistribution resource type.

exist

describe cloudfront_distribution('123456789zyxw.cloudfront.net') do
  it { should exist }
end

be_in_progress, be_deployed

describe cloudfront_distribution('123456789zyxw.cloudfront.net') do
  it { should be_deployed }
end

have_custom_response_error_code

describe cloudfront_distribution('123456789zyxw.cloudfront.net') do
  it do
    should have_custom_response_error_code(400)
      .error_caching_min_ttl(60)
      .response_page_path('/path/to/400.html')
      .response_code(400)
  end
  it do
    should have_custom_response_error_code(403)
      .error_caching_min_ttl(60)
      .response_page_path('/path/to/403.html')
      .response_code('403')
  end
  it do
    should have_custom_response_error_code(500)
      .error_caching_min_ttl(60)
  end
end

have_origin

describe cloudfront_distribution('E2CLOUDFRONTXX') do
  it do
    should have_origin('cf-s3-origin-hosting.dev.example.com')
      .domain_name('cf-s3-origin-hosting.dev.example.com.s3.amazonaws.com')
      .origin_path('/img')
      .origin_access_identity('origin-access-identity/cloudfront/E2VVVVVVVVVVVV')
  end
end

have_origin_domain_name

describe cloudfront_distribution('123456789zyxw.cloudfront.net') do
  it { should have_origin_domain_name('cf-s3-origin-hosting.dev.example.com.s3.amazonaws.com') }
end

have_origin_domain_name_and_path

describe cloudfront_distribution('123456789zyxw.cloudfront.net') do
  it { should have_origin_domain_name_and_path('cf-s3-origin-hosting.dev.example.com.s3.amazonaws.com/img') }
end

its(:id), its(:arn), its(:status), its(:last_modified_time), its(:domain_name), its(:origin_groups), its(:comment), its(:price_class), its(:enabled), its(:web_acl_id), its(:http_version), its(:is_ipv6_enabled), its(:alias_icp_recordals), its(:staging)

cloudtrail

Cloudtrail resource type.

exist

describe cloudtrail('my-trail') do
  it { should exist }
end

be_logging

describe cloudtrail('my-trail') do
  it { should be_logging }
end

be_multi_region_trail

describe cloudtrail('my-trail') do
  it { should be_multi_region_trail }
end

have_global_service_events_included

describe cloudtrail('my-trail') do
  it { should have_global_service_events_included }
end

have_log_file_validation_enabled

describe cloudtrail('my-trail') do
  it { should have_log_file_validation_enabled }
end

have_tag

describe cloudtrail('my-trail') do
  it { should have_tag('Name').value('my-trail') }
end

its(:name), its(:s3_bucket_name), its(:s3_key_prefix), its(:sns_topic_name), its(:sns_topic_arn), its(:include_global_service_events), its(:is_multi_region_trail), its(:home_region), its(:trail_arn), its(:log_file_validation_enabled), its(:cloud_watch_logs_log_group_arn), its(:cloud_watch_logs_role_arn), its(:kms_key_id), its(:has_custom_event_selectors), its(:has_insight_selectors), its(:is_organization_trail)

cloudwatch_alarm

CloudwatchAlarm resource type.

exist

describe cloudwatch_alarm('my-cloudwatch-alarm') do
  it { should exist }
end

have_alarm_action

describe cloudwatch_alarm('my-cloudwatch-alarm') do
  it { should have_alarm_action('arn:aws:sns:ap-northeast-1:1234567890:sns_alert') }
end

have_insufficient_data_action

describe cloudwatch_alarm('my-cloudwatch-alarm') do
  it { should have_insufficient_data_action('arn:aws:sns:ap-northeast-1:1234567890:sns_alert') }
end

have_ok_action

describe cloudwatch_alarm('my-cloudwatch-alarm') do
  it { should have_ok_action('arn:aws:sns:ap-northeast-1:1234567890:sns_alert') }
end

belong_to_metric

describe cloudwatch_alarm('my-cloudwatch-alarm') do
  it { should belong_to_metric('NumberOfProcesses').namespace('my-cloudwatch-namespace') }
end

its(:alarm_name), its(:alarm_arn), its(:alarm_description), its(:alarm_configuration_updated_timestamp), its(:actions_enabled), its(:ok_actions), its(:alarm_actions), its(:insufficient_data_actions), its(:state_value), its(:state_reason), its(:state_reason_data), its(:state_updated_timestamp), its(:metric_name), its(:namespace), its(:statistic), its(:extended_statistic), its(:period), its(:unit), its(:evaluation_periods), its(:datapoints_to_alarm), its(:threshold), its(:comparison_operator), its(:treat_missing_data), its(:evaluate_low_sample_count_percentile), its(:metrics), its(:threshold_metric_id), its(:evaluation_state), its(:state_transitioned_timestamp)

cloudwatch_event

CloudwatchEvent resource type.

exist

be_enable

be_scheduled

its(:name), its(:arn), its(:event_pattern), its(:state), its(:description), its(:schedule_expression), its(:role_arn), its(:managed_by), its(:event_bus_name)

cloudwatch_logs

CloudwatchLogs resource type.

exist

describe cloudwatch_logs('my-cloudwatch-logs-group') do
  it { should exist }
end

have_log_stream

describe cloudwatch_logs('my-cloudwatch-logs-group') do
  it { should have_log_stream('my-cloudwatch-logs-stream') }
end

have_metric_filter

describe cloudwatch_logs('my-cloudwatch-logs-group') do
  it { should have_metric_filter('my-cloudwatch-logs-metric-filter') }
end

or

describe cloudwatch_logs('my-cloudwatch-logs-group') do
  it do
    should have_metric_filter('my-cloudwatch-logs-metric-filter')
      .filter_pattern('[date, error]')
 end
end

have_subscription_filter

describe cloudwatch_logs('my-cloudwatch-logs-group') do
  it { should have_subscription_filter('my-cloudwatch-logs-subscription-filter') }
end

or

describe cloudwatch_logs('my-cloudwatch-logs-group') do
  it do
    should have_subscription_filter('my-cloudwatch-logs-subscription-filter')\
      .filter_pattern('[host, ident, authuser, date, request, status, bytes]')
  end
end

have_tag

describe cloudwatch_logs('my-cloudwatch-logs-group') do
  it { should have_tag('Name').value('my-cloudwatch-logs-group') }
end

its(:log_group_name), its(:creation_time), its(:retention_in_days), its(:metric_filter_count), its(:arn), its(:stored_bytes), its(:kms_key_id), its(:data_protection_status)

codebuild

Codebuild resource type.

exist

codedeploy

Codedeploy resource type.

exist

its(:application_id), its(:application_name), its(:create_time), its(:linked_to_git_hub), its(:git_hub_account_name), its(:compute_platform)

codedeploy_deployment_group

CodedeployDeploymentGroup resource type.

exist

You can set the application_name (default: default).

describe codedeploy_deployment_group('my-codedeploy-deployment-group'), application_name: 'my-codedeploy-application' do
  it { should exist }
end

have_autoscaling_group

describe codedeploy_deployment_group('my-codedeploy-deployment-group'), application_name: 'my-codedeploy-application' do
  it { should have_autoscaling_group('my-autoscaling-group') }
end

its(:application_name), its(:deployment_group_id), its(:deployment_group_name), its(:deployment_config_name), its(:on_premises_instance_tag_filters), its(:service_role_arn), its(:target_revision), its(:trigger_configurations), its(:alarm_configuration), its(:deployment_style), its(:outdated_instances_strategy), its(:load_balancer_info), its(:last_successful_deployment), its(:last_attempted_deployment), its(:ec2_tag_set), its(:on_premises_tag_set), its(:compute_platform), its(:ecs_services)

cognito_identity_pool

CognitoIdentityPool resource type.

exist

describe cognito_identity_pool('my-cognito-identity-pool') do
  it { should exist }
end

its(:identity_pool_id), its(:identity_pool_name)

cognito_user_pool

CognitoUserPool resource type.

exist

describe cognito_user_pool('my-cognito-user-pool') do
  it { should exist }
end

its(:id), its(:name), its(:status), its(:last_modified_date), its(:creation_date)

customer_gateway

CustomerGateway resource type.

exist

describe customer_gateway('my-customer-gateway') do
  it { should exist }
end

be_pending, be_available, be_deleting, be_deleted

describe customer_gateway('my-customer-gateway') do
  it { should be_running }
end

have_tag

describe customer_gateway('my-customer-gateway') do
  it { should have_tag('Name').value('my-customer-gateway') }
end

its(:bgp_asn), its(:customer_gateway_id), its(:ip_address), its(:certificate_arn), its(:state), its(:type), its(:device_name), its(:tags)

directconnect_virtual_interface

DirectconnectVirtualInterface resource type.

describe directconnect_virtual_interface('my-directconnect-virtual-interface') do
  it { should exist }
  it { should be_available }
  its(:connection_id) { should eq 'dxcon-abcd5fgh' }
  its(:virtual_interface_id) { should eq 'dxvif-aabbccdd' }
  its(:amazon_address) { should eq '170.252.252.1/30' }
  its(:customer_address) { should eq '123.456.789.2/30' }
  its(:virtual_gateway_id) { should eq 'vgw-d234e5f6' }
end

exist

describe directconnect_virtual_interface('my-directconnect-virtual-interface') do
  it { should exist }
end

be_confirming, be_verifying, be_pending, be_available, be_deleting, be_deleted, be_rejected

describe directconnect_virtual_interface('my-directconnect-virtual-interface') do
  it { should exist }
  it { should be_available }
end

its(:owner_account), its(:virtual_interface_id), its(:location), its(:connection_id), its(:virtual_interface_type), its(:virtual_interface_name), its(:vlan), its(:asn), its(:amazon_side_asn), its(:auth_key), its(:amazon_address), its(:customer_address), its(:address_family), its(:virtual_interface_state), its(:customer_router_config), its(:mtu), its(:jumbo_frame_capable), its(:virtual_gateway_id), its(:direct_connect_gateway_id), its(:route_filter_prefixes), its(:bgp_peers), its(:region), its(:aws_device_v2), its(:aws_logical_device_id), its(:tags), its(:site_link_enabled)

dynamodb_table

DynamodbTable resource type.

exist

describe dynamodb_table('my-dynamodb-table') do
  it { should exist }
end

be_creating, be_updating, be_deleting, be_active

have_attribute_definition

describe dynamodb_table('my-dynamodb-table') do
  it { should have_attribute_definition('my-dynamodb-table-attaribute1').attribute_type('S') }
  it { should have_attribute_definition('my-dynamodb-table-attaribute2').attribute_type('N') }
end

have_key_schema

describe dynamodb_table('my-dynamodb-table') do
  it { should have_key_schema('my-dynamodb-table-key_schema1').key_type('HASH') }
  it { should have_key_schema('my-dynamodb-table-key_schema2').key_type('RANGE') }
end

its(:table_name), its(:table_status), its(:creation_date_time), its(:table_size_bytes), its(:item_count), its(:table_arn), its(:table_id), its(:billing_mode_summary), its(:local_secondary_indexes), its(:global_secondary_indexes), its(:stream_specification), its(:latest_stream_label), its(:latest_stream_arn), its(:global_table_version), its(:replicas), its(:restore_summary), its(:sse_description), its(:archival_summary), its(:table_class_summary), its(:deletion_protection_enabled)

🔓 Advanced use

dynamodb_table can use Aws::DynamoDB::Table resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/DynamoDB/Table.html).

describe dynamodb_table('my-dynamodb-table') do
  its('key_schema.first.key_type') { should eq 'HASH' }
end

or

describe dynamodb_table('my-dynamodb-table') do
  its('resource.key_schema.first.key_type') { should eq 'HASH' }
end

ebs

EBS resource type.

exist

describe ebs('my-volume') do
  it { should exist }
end

be_attached_to

describe ebs('my-volume') do
  it { should be_attached_to('my-ec2') }
end

be_creating, be_available, be_in_use, be_deleting, be_deleted, be_error

describe ebs('my-volume') do
  it { should be_in_use }
end

have_tag

describe ebs('my-volume') do
  it { should have_tag('Name').value('my-volume') }
end

its(:availability_zone), its(:create_time), its(:encrypted), its(:kms_key_id), its(:outpost_arn), its(:size), its(:snapshot_id), its(:state), its(:volume_id), its(:iops), its(:volume_type), its(:fast_restored), its(:multi_attach_enabled), its(:throughput)

🔓 Advanced use

ebs can use Aws::EC2::Volume resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/EC2/Volume.html).

describe ebs('my-volume') do
  its('attachments.first.instance_id') { should eq 'i-ec12345a' }
end

or

describe ebs('my-volume') do
  its('resource.attachments.first.instance_id') { should eq 'i-ec12345a' }
end

ec2

EC2 resource type.

exist

describe ec2('my-ec2') do
  it { should exist }
end

be_disabled_api_termination

describe ec2('my-ec2') do
  it { should be_disabled_api_termination }
end

be_pending, be_running, be_shutting_down, be_terminated, be_stopping, be_stopped

describe ec2('my-ec2') do
  it { should be_running }
end

have_classiclink

describe ec2('my-ec2-classic') do
  it { should have_classiclink('my-vpc') }
end

have_classiclink_security_group

describe ec2('my-ec2-classic') do
  it { should have_classiclink_security_group('sg-2a3b4cd5') }
  it { should have_classiclink_security_group('my-vpc-security-group-name') }
end

have_credit_specification

The credit option for CPU usage of T2 or T3 instance.

describe ec2('my-ec2') do
  it { should have_credit_specification('unlimited') }
end

have_ebs

describe ec2('my-ec2') do
  it { should have_ebs('vol-123a123b') }
  it { should have_ebs('my-volume') }
end

have_eip

describe ec2('my-ec2') do
  it { should have_eip('123.0.456.789') }
end

have_event

describe ec2('my-ec2') do
  it { should have_event('system-reboot') }
end

have_events

describe ec2('my-ec2') do
  it { should_not have_events }
end

have_iam_instance_profile

describe ec2('my-ec2') do
  it { should have_iam_instance_profile('Ec2IamProfileName') }
end

have_network_interface

describe ec2('my-ec2') do
  it { should have_network_interface('my-eni') }
  it { should have_network_interface('eni-12ab3cde') }
  it { should have_network_interface('my-eni').as_eth0 }
end

have_security_group

describe ec2('my-ec2') do
  it { should have_security_group('my-security-group-name') }
  it { should have_security_group('sg-1a2b3cd4') }
end

have_security_groups

describe ec2('my-ec2') do
  it { should have_security_groups(['my-security-group-name-1', 'my-security-group-name-2']) }
  it { should have_security_groups(['sg-1a2b3cd4', 'sg-5e6f7gh8']) }
end

have_tag

describe ec2('my-ec2') do
  it { should have_tag('Name').value('my-ec2') }
end

belong_to_subnet

describe ec2('my-ec2') do
  it { should belong_to_subnet('subnet-1234a567') }
  it { should belong_to_subnet('my-subnet') }
end

belong_to_vpc

describe ec2('my-ec2') do
  it { should belong_to_vpc('vpc-ab123cde') }
  it { should belong_to_vpc('my-vpc') }
end

its(:ami_launch_index), its(:image_id), its(:instance_id), its(:instance_type), its(:kernel_id), its(:key_name), its(:launch_time), its(:monitoring), its(:placement), its(:platform), its(:private_dns_name), its(:private_ip_address), its(:product_codes), its(:public_dns_name), its(:public_ip_address), its(:ramdisk_id), its(:state_transition_reason), its(:subnet_id), its(:vpc_id), its(:architecture), its(:client_token), its(:ebs_optimized), its(:ena_support), its(:hypervisor), its(:instance_lifecycle), its(:elastic_gpu_associations), its(:elastic_inference_accelerator_associations), its(:outpost_arn), its(:root_device_name), its(:root_device_type), its(:source_dest_check), its(:spot_instance_request_id), its(:sriov_net_support), its(:state_reason), its(:virtualization_type), its(:cpu_options), its(:capacity_reservation_id), its(:capacity_reservation_specification), its(:hibernation_options), its(:licenses), its(:metadata_options), its(:enclave_options), its(:boot_mode), its(:platform_details), its(:usage_operation), its(:usage_operation_update_time), its(:private_dns_name_options), its(:ipv_6_address), its(:tpm_support), its(:maintenance_options), its(:current_instance_boot_mode)

🔓 Advanced use

ec2 can use Aws::EC2::Instance resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/EC2/Instance.html).

describe ec2('my-ec2') do
  its('vpc.id') { should eq 'vpc-ab123cde' }
end

or

describe ec2('my-ec2') do
  its('resource.vpc.id') { should eq 'vpc-ab123cde' }
end

Awspec::DuplicatedResourceTypeError exception

EC2 resources might have the same tag value and if you try to search for a specific instance using that tag/tag value you might found multiples results and receive a Awspec::DuplicatedResourceTypeError exception as result.

To avoid such situations, you will want to use EC2 instances ID's and then use those ID's to test whatever you need.

There are several different ways to provide such ID's, like using Terraform output or even the AWS SDK directly:

require 'awspec'
require 'aws-sdk-ec2'

tag_name = 'tag:Name'
tag_value = 'foobar'
servers = {}
ec2 = Aws::EC2::Resource.new
ec2.instances({filters: [{name: "#{tag_name}",
                          values: ["#{tag_value}"]}]}).each do |i|
  servers.store(i.id, i.subnet_id)
end

if servers.size == 0
  raise "Could not find any EC2 instance with #{tag_name} = #{tag_value}!"
end

servers.each_pair do |instance_id, subnet_id|
  describe ec2(instance_id) do
    it { should exist }
    it { should be_running }
    its(:image_id) { should eq 'ami-12345foobar' }
    its(:instance_type) { should eq 't2.micro' }
    it { should belong_to_subnet(subnet_id) }
  end
end

ecr_repository

ECR Repository resource type.

exist

describe ecr_repository('my-ecr-repository') do
  it { should exist }
end

its(:repository_arn), its(:registry_id), its(:repository_name), its(:repository_uri), its(:created_at), its(:image_tag_mutability), its(:image_scanning_configuration), its(:encryption_configuration)

ecs_cluster

ECS Cluster resource type.

exist

describe ecs_cluster('my-ecs-cluster') do
  it { should exist }
end

be_active, be_inactive

describe ecs_cluster('my-ecs-cluster') do
  it { should be_active }
end

have_container_instance

describe ecs_cluster('my-ecs-cluster') do
  it { have_container_instance('f2756532-8f13-4d53-87c9-aed50dc94cd7') }
end

its(:cluster_arn), its(:cluster_name), its(:configuration), its(:status), its(:registered_container_instances_count), its(:running_tasks_count), its(:pending_tasks_count), its(:active_services_count), its(:statistics), its(:tags), its(:settings), its(:capacity_providers), its(:default_capacity_provider_strategy), its(:attachments), its(:attachments_status), its(:service_connect_defaults)

ecs_container_instance

ECS Container Instance resource type.

exist

You can set cluster ( default: default ).

describe ecs_container_instance('my-container-instance'), cluster: 'my-ecs-cluster' do
  it { should exist }
end

be_active, be_inactive

describe ecs_container_instance('my-container-instance'), cluster: 'my-ecs-cluster' do
  it { should be_active }
end

its(:container_instance_arn), its(:ec2_instance_id), its(:capacity_provider_name), its(:version), its(:version_info), its(:status), its(:status_reason), its(:agent_connected), its(:running_tasks_count), its(:pending_tasks_count), its(:agent_update_status), its(:attributes), its(:registered_at), its(:attachments), its(:tags), its(:health_status)

ecs_service

ECS Service resource type.

exist

You can set cluster ( default: default ).

describe ecs_service('my-ecs-service'), cluster: 'my-ecs-cluster' do
  it { should exist }
end

be_active, be_draining, be_inactive

describe ecs_service('my-ecs-service'), cluster: 'my-ecs-cluster' do
  it { should be_active }
end

its(:service_arn), its(:service_name), its(:cluster_arn), its(:load_balancers), its(:service_registries), its(:status), its(:desired_count), its(:running_count), its(:pending_count), its(:launch_type), its(:capacity_provider_strategy), its(:platform_version), its(:platform_family), its(:task_definition), its(:task_sets), its(:role_arn), its(:created_at), its(:placement_constraints), its(:placement_strategy), its(:network_configuration), its(:health_check_grace_period_seconds), its(:scheduling_strategy), its(:deployment_controller), its(:tags), its(:created_by), its(:enable_ecs_managed_tags), its(:propagate_tags), its(:enable_execute_command)

ecs_task_definition

ECS Task Definition resource type.

exist

describe ecs_task_definition('my-ecs-task-definition') do
  it { should exist }
end

be_active, be_inactive

describe ecs_task_definition('my-ecs-task-definition') do
  it { should be_active }
end

its(:task_definition_arn), its(:family), its(:task_role_arn), its(:execution_role_arn), its(:network_mode), its(:revision), its(:volumes), its(:status), its(:requires_attributes), its(:placement_constraints), its(:compatibilities), its(:runtime_platform), its(:requires_compatibilities), its(:cpu), its(:memory), its(:inference_accelerators), its(:pid_mode), its(:ipc_mode), its(:proxy_configuration), its(:registered_at), its(:deregistered_at), its(:registered_by), its(:ephemeral_storage)

efs

EFS resource type.

exist

describe efs('my-efs') do
  it { should exist }
end

have_tag

describe efs('my-efs') do
  it { should have_tag('my-key').value('my-value') }
end

its(:owner_id), its(:creation_token), its(:file_system_id), its(:file_system_arn), its(:creation_time), its(:life_cycle_state), its(:name), its(:number_of_mount_targets), its(:performance_mode), its(:encrypted), its(:kms_key_id), its(:throughput_mode), its(:provisioned_throughput_in_mibps), its(:availability_zone_name), its(:availability_zone_id)

elastic_ip

Elastic IP resource type.

exist

describe eip('my-eip') do
  it { should exist }
end

be_associated_to

describe eip('123.0.456.789') do
  it { should be_associated_to('i-ec12345a') }
end

belong_to_domain

describe eip('123.0.456.789') do
  it { should belong_to_domain('vpc') }
end

its(:instance_id), its(:public_ip), its(:allocation_id), its(:association_id), its(:domain), its(:network_interface_id), its(:network_interface_owner_id), its(:private_ip_address), its(:public_ipv_4_pool), its(:network_border_group), its(:customer_owned_ip), its(:customer_owned_ipv_4_pool), its(:carrier_ip)

eks

Eks resource type.

exist

describe eks('my-eks') do
  it { should exist }
end

be_active, be_creating

describe eks('my-eks') do
  it { should be_active }
end

its(:name), its(:arn), its(:created_at), its(:version), its(:endpoint), its(:role_arn), its(:kubernetes_network_config), its(:logging), its(:identity), its(:status), its(:client_request_token), its(:platform_version), its(:tags), its(:encryption_config), its(:connector_config), its(:id), its(:health), its(:outpost_config)

eks_nodegroup

EksNodegroup resource type.

exist

describe eks_nodegroup('my-eks-nodegroup'), cluster: 'my-cluster' do
  it { should exist }
end

be_active, be_inactive

be_ready

This matcher might not be exactly you are expecting: it is different from what you can see when looking at the AWS console at the Node Groups configuration and check if the nodes Status is "Ready".

What you seeing over there is actually the same thing you would if using kubectl.

This matcher cannot do the same because it would involve using the Kubernetes API: the AWS Ruby SDK currently doesn't expose this information.

What you can get from be_ready matcher is asserting that you have at least the number of EC2 instances (the nodes in your EKS Node Group) are actually in running state. It doesn't mean everything is fine, the node (EC2 instance) can be running but without communication with the cluster or any order issue regarding the Kubernetes configuration.

Although it might look an incomplete assertion, definitely the Node Group "Status" won't be "Active" if the EC2 instances associated with it are not running.

So, using this assertion like the sample below:

describe eks('my-eks-nodegroup'), cluster: 'my-cluster' do
  it { should be_ready }
end

Will pass if at least the minimum expected (see scaling_config) number of EC2 instances are running.

have_security_group

describe eks_nodegroup('my-eks-nodegroup'), cluster: 'my-cluster' do
  it { should have_security_group('sg-1a2b3cd4') }
end

its(:nodegroup_name), its(:nodegroup_arn), its(:cluster_name), its(:version), its(:release_version), its(:created_at), its(:modified_at), its(:status), its(:capacity_type), its(:instance_types), its(:subnets), its(:remote_access), its(:ami_type), its(:node_role), its(:labels), its(:taints), its(:resources), its(:disk_size), its(:health), its(:update_config), its(:launch_template), its(:tags)

elasticache

Elasticache resource type.

exist

describe elasticache('my-rep-group-001') do
  it { should exist }
end

be_available, be_creating, be_deleted, be_deleting, be_incompatible_network, be_modifying, be_rebooting_cache_cluster_nodes, be_restore_failed, be_snapshotting

describe elasticache('my-rep-group-001') do
  it { should be_available }
end

have_cache_parameter_group

describe elasticache('my-rep-group-001') do
  it { should have_cache_parameter_group('my-cache-parameter-group') }
end

have_security_group

describe elasticache('my-rep-group-001') do
  it { should have_security_group('sg-da1bc2ef') }
  it { should have_security_group('group-name-sg') }
  it { should have_security_group('my-cache-sg') }
end

belong_to_cache_subnet_group

describe elasticache('my-rep-group-001') do
  it { should belong_to_cache_subnet_group('my-cache-subnet-group') }
end

belong_to_replication_group

describe elasticache('my-rep-group-001') do
  it { should belong_to_replication_group('my-rep-group') }
end

belong_to_vpc

describe elasticache('my-rep-group-001') do
  it { should belong_to_vpc('my-vpc') }
end

its(:cache_cluster_id), its(:configuration_endpoint), its(:client_download_landing_page), its(:cache_node_type), its(:engine), its(:engine_version), its(:cache_cluster_status), its(:num_cache_nodes), its(:preferred_availability_zone), its(:preferred_outpost_arn), its(:cache_cluster_create_time), its(:preferred_maintenance_window), its(:notification_configuration), its(:cache_security_groups), its(:cache_subnet_group_name), its(:cache_nodes), its(:auto_minor_version_upgrade), its(:replication_group_id), its(:snapshot_retention_limit), its(:snapshot_window), its(:auth_token_enabled), its(:auth_token_last_modified_date), its(:transit_encryption_enabled), its(:at_rest_encryption_enabled), its(:arn), its(:replication_group_log_delivery_enabled), its(:log_delivery_configurations), its(:network_type), its(:ip_discovery), its(:transit_encryption_mode)

elasticache_cache_parameter_group

ElasticacheCacheParameterGroup resource type.

describe elasticache_cache_parameter_group('my-cache-parameter-group') do
  it { should exist }
  its(:activerehashing) { should eq 'yes' }
  its(:client_output_buffer_limit_pubsub_hard_limit) { should eq '33554432' }
end

exist

describe elasticache_cache_parameter_group('my-cache-parameter-group') do
  it { should exist }
end

elasticsearch

Elasticsearch resource type.

exist

describe elasticsearch('my-elasticsearch') do
  it { should exist }
end

be_created

describe elasticsearch('my-elasticsearch') do
  it { should be_created }
end

be_deleted

describe elasticsearch('my-elasticsearch') do
  it { should be_deleted }
end

have_access_policies

describe elasticsearch('my-elasticsearch') do
 it do
    should have_access_policies <<-policy
{
  "version": "2012-10-17",
  "statement": [
    {
      "effect": "allow",
      "principal": "*",
      "action": [
        "es:*"
      ],
      "resource": "arn:aws:es:ap-northeast-1:1234567890:domain/my-elasticsearch/*"
    }
  ]
}
  policy
  end
end

its(:domain_id), its(:domain_name), its(:arn), its(:created), its(:deleted), its(:endpoint), its(:endpoints), its(:processing), its(:upgrade_processing), its(:elasticsearch_version), its(:access_policies), its(:snapshot_options), its(:vpc_options), its(:cognito_options), its(:encryption_at_rest_options), its(:node_to_node_encryption_options), its(:advanced_options), its(:log_publishing_options), its(:service_software_options), its(:domain_endpoint_options), its(:advanced_security_options), its(:auto_tune_options), its(:change_progress_details)

elastictranscoder_pipeline

ElastictranscoderPipeline resource type.

exist

be_active, be_paused

describe elastictranscoder_pipeline('my-elastictranscoder-pipeline') do
  it { should be_active }
end

elb

ELB resource type.

exist

describe elb('my-elb') do
  it { should exist }
end

be_cross_zone_load_balancing_enabled

describe elb('my-elb') do
  it { should be_cross_zone_load_balancing_enabled }
end

have_access_log

describe elb('my-elb') do
  it { should have_access_log(s3_bucket_name: 'my-loadbalancer-logs', s3_bucket_prefix: 'my-app', emit_interval: 5) }
end

have_connection_draining

describe elb('my-elb') do
  it { should have_connection_draining(timeout: 300) }
end

have_ec2

describe elb('my-elb') do
  it { should have_ec2('my-ec2') }
end

have_listener

http://docs.aws.amazon.com/en_us/ElasticLoadBalancing/latest/DeveloperGuide/elb-listener-config.html

describe elb('my-elb') do
  it { should have_listener(protocol: 'HTTPS', port: 443, instance_protocol: 'HTTP', instance_port: 80) }
end

have_security_group

describe elb('my-elb') do
  it { should have_security_group('my-lb-security-group-tag-name') }
end

have_subnet

describe elb('my-elb') do
  it { should have_subnet('my-subnet') }
end

have_tag

describe elb('my-elb') do
  it { should have_tag('Name').value('my-elb') }
  it { should have_tag('my-tag-key').value('my-tag-value') }
end

belong_to_vpc

describe elb('my-elb') do
  it { should belong_to_vpc('my-vpc') }
end

its(:health_check_target), its(:health_check_interval), its(:health_check_timeout), its(:health_check_unhealthy_threshold), its(:health_check_healthy_threshold), its(:idle_timeout), its(:load_balancer_name), its(:dns_name), its(:canonical_hosted_zone_name), its(:canonical_hosted_zone_name_id), its(:backend_server_descriptions), its(:availability_zones), its(:subnets), its(:vpc_id), its(:security_groups), its(:created_time), its(:scheme)

emr

Emr resource type.

exist

describe emr('my-emr') do
  it { should exist }
end

be_healthy

describe emr('my-emr') do
  it { should be_healthy }
end

be_ok

be_ready

be_running, be_waiting, be_starting, be_bootstrapping

describe emr('my-emr') do
  it { should be_running }
end

its(:id), its(:name), its(:instance_collection_type), its(:log_uri), its(:log_encryption_kms_key_id), its(:requested_ami_version), its(:running_ami_version), its(:release_label), its(:auto_terminate), its(:termination_protected), its(:visible_to_all_users), its(:service_role), its(:normalized_instance_hours), its(:master_public_dns_name), its(:configurations), its(:security_configuration), its(:auto_scaling_role), its(:scale_down_behavior), its(:custom_ami_id), its(:ebs_root_volume_size), its(:repo_upgrade_on_boot), its(:cluster_arn), its(:outpost_arn), its(:step_concurrency_level), its(:placement_groups), its(:os_release_label)

firehose

Firehose resource type.

exist

describe firehose('my-firehose') do
  it { should exist }
end

be_active

describe firehose('my-firehose') do
  it { should be_active }
end

be_creating

be_deleting

have_splunk_destination

describe firehose('my-firehose') do
  it { should have_splunk_destination }
end

its(:delivery_stream_name), its(:delivery_stream_arn), its(:delivery_stream_status), its(:failure_description), its(:delivery_stream_encryption_configuration), its(:delivery_stream_type), its(:version_id), its(:create_timestamp), its(:last_update_timestamp), its(:source), its(:has_more_destinations)

🔓 Advanced use

describe firehose('my-firehose') do
  its(:delivery_stream_type) { should be_eql('DirectPut') }
end

iam_group

IamGroup resource type.

exist

describe iam_group('my-iam-group') do
  it { should exist }
end

be_allowed_action

describe iam_group('my-iam-group') do
  it { should be_allowed_action('ec2:DescribeInstances') }
  it { should be_allowed_action('s3:Put*').resource_arn('arn:aws:s3:::my-bucket-name/*') }
end

have_iam_policy

describe iam_group('my-iam-group') do
  it { should have_iam_policy('ReadOnlyAccess') }
end

have_iam_user

describe iam_group('my-iam-group') do
  it { should have_iam_user('my-iam-user') }
end

have_inline_policy

describe iam_group('my-iam-group') do
  it { should have_inline_policy('InlineEC2FullAccess') }
  it do
    should have_inline_policy('InlineEC2FullAccess').policy_document(<<-'DOC')
{
  "Statement": [
    {
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "elasticloadbalancing:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "cloudwatch:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "autoscaling:*",
      "Resource": "*"
    }
  ]
}
DOC
  end
end

You can test absence of inline policies.

describe iam_group('my-iam-group') do
  it { should_not have_inline_policy }
end

its(:path), its(:group_name), its(:group_id), its(:arn), its(:create_date)

🔓 Advanced use

iam_group can use Aws::IAM::Group resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/IAM/Group.html).

describe iam_group('my-iam-group') do
  its('users.count') { should eq 5 }
end

or

describe iam_group('my-iam-group') do
  its('resource.users.count') { should eq 5 }
end

iam_policy

IamPolicy resource type.

exist

describe iam_policy('my-iam-policy') do
  it { should exist }
end

be_attachable

describe iam_policy('my-iam-policy') do
  it { should be_attachable }
end

be_attached_to_group

describe iam_policy('my-iam-policy') do
  it { should be_attached_to_group('my-iam-group') }
end

be_attached_to_role

describe iam_policy('my-iam-policy') do
  it { should be_attached_to_role('HelloIAmGodRole') }
end

be_attached_to_user

describe iam_policy('my-iam-user') do
  it { should be_attached_to_user('my-iam-user') }
end

have_policy_document

describe iam_policy('my-iam-user') do
  it do
    should have_policy_document(<<-'DOC')
{
"Statement": [
    {
     "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
    }
  ]
}
DOC
  end
end

its(:policy_name), its(:policy_id), its(:arn), its(:path), its(:default_version_id), its(:attachment_count), its(:permissions_boundary_usage_count), its(:is_attachable), its(:description), its(:create_date), its(:update_date), its(:tags)

iam_role

IamRole resource type.

exist

describe iam_role('my-iam-role') do
  it { should exist }
end

be_allowed_action

describe iam_role('my-iam-role') do
  it { should be_allowed_action('ec2:DescribeInstances') }
  it { should be_allowed_action('s3:Put*').resource_arn('arn:aws:s3:::my-bucket-name/*') }
end

have_iam_policy

describe iam_role('my-iam-role') do
  it { should have_iam_policy('ReadOnlyAccess') }
end

have_inline_policy

describe iam_role('my-iam-role') do
  it { should have_inline_policy('AllowS3BucketAccess') }
  it do
    should have_inline_policy('AllowS3BucketAccess').policy_document(<<-'DOC')
{
"Statement": [
    {
     "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
    }
  ]
}
DOC
  end
end

You can test absence of inline policies.

describe iam_role('my-iam-role') do
  it { should_not have_inline_policy }
end

its(:path), its(:role_name), its(:role_id), its(:arn), its(:create_date), its(:assume_role_policy_document), its(:description), its(:max_session_duration), its(:permissions_boundary), its(:tags), its(:role_last_used)

🔓 Advanced use

iam_role can use Aws::IAM::Role resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/IAM/Role.html).

describe iam_role('my-iam-role') do
  its('attached_policies.count') { should eq 5 }
end

or

describe iam_role('my-iam-role') do
  its('resource.attached_policies.count') { should eq 5 }
end

iam_user

IamUser resource type.

exist

describe iam_user('my-iam-user') do
  it { should exist }
end

be_allowed_action

describe iam_user('my-iam-user') do
  it { should be_allowed_action('ec2:DescribeInstances') }
  it { should be_allowed_action('s3:Put*').resource_arn('arn:aws:s3:::my-bucket-name/*') }
end

have_iam_policy

describe iam_user('my-iam-user') do
  it { should have_iam_policy('ReadOnlyAccess') }
end

have_inline_policy

describe iam_user('my-iam-user') do
  it { should have_inline_policy('AllowS3BucketAccess') }
  it do
    should have_inline_policy('AllowS3BucketAccess').policy_document(<<-'DOC')
{
"Statement": [
    {
     "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
    }
  ]
}
DOC
  end
end

You can test absence of inline policies.

describe iam_user('my-iam-user') do
  it { should_not have_inline_policy }
end

belong_to_iam_group

describe iam_user('my-iam-user') do
  it { should belong_to_iam_group('my-iam-group') }
end

its(:path), its(:user_name), its(:user_id), its(:arn), its(:create_date), its(:password_last_used), its(:permissions_boundary), its(:tags)

🔓 Advanced use

iam_user can use Aws::IAM::User resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/IAM/User.html).

describe iam_user('my-iam-user') do
  its('login_profile.password_reset_required') { should eq false }
end

or

describe iam_user('my-iam-user') do
  its('resource.login_profile.password_reset_required') { should eq false }
end

internet_gateway

InternetGateway resource type.

exist

describe internet_gateway('igw-1ab2cd3e') do
  it { should exist }
end

describe internet_gateway('my-internet-gateway') do
  it { should exist }
end

be_attached_to

describe internet_gateway('igw-1ab2cd3e') do
  it { should be_attached_to('vpc-ab123cde') }
end

describe internet_gateway('igw-1ab2cd3e') do
  it { should be_attached_to('my-vpc') }
end

have_tag

describe internet_gateway('igw-1ab2cd3e') do
  it { should have_tag('Name').value('my-internet-gateway') }
end

its(:internet_gateway_id), its(:owner_id)

kinesis

Kinesis resource type.

exist

describe kinesis('my-kinesis') do
  it { should exist }
end

its(:stream_name), its(:stream_arn), its(:stream_status), its(:stream_mode_details), its(:retention_period_hours), its(:stream_creation_timestamp), its(:encryption_type), its(:key_id), its(:open_shard_count), its(:consumer_count)

kms

Kms resource type.

exist

describe kms('my-kms-key') do
  it { should exist }
end

be_enabled

describe kms('my-kms-key') do
  it { should be_enabled }
end

have_key_policy

describe kms('my-kms-key') do
  it { should exist }
  it { should be_enabled }
  it do
    should have_key_policy('default').policy_document(<<-'DOC')
{
  "Version" : "2012-10-17",
  "Id" : "key-consolepolicy-2",
  "Statement" : [ {
    "Sid" : "Enable IAM User Permissions",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::1234567890:root"
    },
    "Action" : "kms:*",
    "Resource" : "*"
  }, {
    "Sid" : "Allow access for Key Administrators",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::1234567890:user/test-user"
    },
    "Action" : [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ],
    "Resource" : "*"
  }, {
    "Sid" : "Allow use of the key",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : [ "arn:aws:iam::1234567890:user/test-user", "arn:aws:iam::1234567890:role/test-role" ]
    },
    "Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ],
    "Resource" : "*"
  }, {
    "Sid" : "Allow attachment of persistent resources",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : [ "arn:aws:iam::1234567890:user/test-user", "arn:aws:iam::1234567890:role/test-role" ]
    },
    "Action" : [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ],
    "Resource" : "*",
    "Condition" : {
      "Bool" : {
        "kms:GrantIsForAWSResource" : "true"
      }
    }
  } ]
}
DOC
  end
end

its(:aws_account_id), its(:key_id), its(:arn), its(:creation_date), its(:enabled), its(:description), its(:key_usage), its(:key_state), its(:deletion_date), its(:valid_to), its(:origin), its(:custom_key_store_id), its(:cloud_hsm_cluster_id), its(:expiration_model), its(:key_manager), its(:customer_master_key_spec), its(:key_spec), its(:encryption_algorithms), its(:signing_algorithms), its(:multi_region), its(:multi_region_configuration), its(:pending_deletion_window_in_days), its(:mac_algorithms), its(:xks_key_configuration)

lambda

Lambda resource type.

exist

describe lambda('my-lambda-function-name') do
  it { should exist }
end

have_env_var

Useful to validate if there is a specific environment variable declared in the Lambda. You probably will want to use it with have_env_var_value.

have_env_var_value

Validates if a specific environment variable has the expected value. More useful to use with have_env_var because if the variable isn't available, it will fail without notifying that the variable is missing.

expected.each_pair do |key, value|
  context "environment variable #{key}" do
    it { should have_env_var(key) }
    it { should have_env_var_value(key, value) }
  end
end

expected would be a hash that has the environment variables names as keys.

have_env_vars

Useful to validate if there are environment variables configured in the Lambda:

describe lambda('my-lambda-function-name') do
  it { should have_env_vars() }
end

have_event_source

This matcher does not support Amazon S3 event sources (see SDK doc).

its(:function_name), its(:function_arn), its(:runtime), its(:role), its(:handler), its(:code_size), its(:description), its(:timeout), its(:memory_size), its(:last_modified), its(:code_sha_256), its(:version), its(:vpc_config), its(:dead_letter_config), its(:kms_key_arn), its(:master_arn), its(:revision_id), its(:layers), its(:state), its(:state_reason), its(:state_reason_code), its(:last_update_status), its(:last_update_status_reason), its(:last_update_status_reason_code), its(:file_system_configs), its(:package_type), its(:image_config_response), its(:signing_profile_version_arn), its(:signing_job_arn), its(:architectures), its(:ephemeral_storage), its(:snap_start), its(:runtime_version_config)

launch_configuration

LaunchConfiguration resource type.

exist

describe launch_configuration('my-lc') do
  it { should exist }
end

have_block_device_mapping

have_security_group

describe launch_configuration('my-lc') do
  it { should have_security_group('my-security-group-name') }
end

its(:launch_configuration_name), its(:launch_configuration_arn), its(:image_id), its(:key_name), its(:security_groups), its(:classic_link_vpc_id), its(:classic_link_vpc_security_groups), its(:user_data), its(:instance_type), its(:kernel_id), its(:ramdisk_id), its(:spot_price), its(:iam_instance_profile), its(:created_time), its(:ebs_optimized), its(:associate_public_ip_address), its(:placement_tenancy), its(:metadata_options)

launch_template

LaunchTemplate resource type.

exist

You can set launch template version ( default: $Default ).

# launch_template_id or launch_template_name
describe launch_template('my-launch-template') do
  it { should exist }
  its(:default_version_number) { should eq 1 }
  its(:latest_version_number) { should eq 2 }
  its('launch_template_version.launch_template_data.image_id') { should eq 'ami-12345foobar' }
  its('launch_template_version.launch_template_data.instance_type') { should eq 't2.micro' }
end