inspec/lib/resources/aws/aws_ec2_instance.rb

163 lines
4.6 KiB
Ruby
Raw Normal View History

require "resource_support/aws/aws_singular_resource_mixin"
require "resource_support/aws/aws_backend_base"
require "aws-sdk-ec2"
class AwsEc2Instance < Inspec.resource(1)
name "aws_ec2_instance"
desc "Verifies settings for an EC2 instance"
2016-12-15 08:53:01 +00:00
example <<~EXAMPLE
describe aws_ec2_instance('i-123456') do
2016-12-15 08:53:01 +00:00
it { should be_running }
Add has_roles to aws_ec2_instance (#90) * Rename EC2-instance resources Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add interim updates Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * testing for issue 82 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * completed integration for EC2 roles Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * adding in the beginning of the unit test for issue 82 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Fix unit tests Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add has_roles? examples Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Remove redundant gsub Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * corrected OpenStruct format Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * setting up variable for InstanceProfile Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Updated the unit test so all variables are at the top Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Fixed Rubocop issues that were detected Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Updating README.md to include changes to aws_ec2 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Add failing IT for has_roles? Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add negative IT and fix uncovered issue Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix Rubocop issue Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix integration test Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix Rubocop issues and unit tests Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Pin AWS dependency to '~> 2' Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
2017-10-26 19:56:32 +00:00
it { should have_roles }
2016-12-15 08:53:01 +00:00
end
describe aws_ec2_instance(name: 'my-instance') do
2016-12-15 08:53:01 +00:00
it { should be_running }
Add has_roles to aws_ec2_instance (#90) * Rename EC2-instance resources Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add interim updates Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * testing for issue 82 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * completed integration for EC2 roles Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * adding in the beginning of the unit test for issue 82 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Fix unit tests Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add has_roles? examples Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Remove redundant gsub Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * corrected OpenStruct format Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * setting up variable for InstanceProfile Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Updated the unit test so all variables are at the top Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Fixed Rubocop issues that were detected Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Updating README.md to include changes to aws_ec2 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Add failing IT for has_roles? Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add negative IT and fix uncovered issue Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix Rubocop issue Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix integration test Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix Rubocop issues and unit tests Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Pin AWS dependency to '~> 2' Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
2017-10-26 19:56:32 +00:00
it { should have_roles }
2016-12-15 08:53:01 +00:00
end
EXAMPLE
supports platform: "aws"
2016-12-15 08:53:01 +00:00
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
def initialize(opts, conn = nil)
2016-12-15 08:53:01 +00:00
@opts = opts
@opts.is_a?(Hash) ? @display_name = @opts[:name] : @display_name = opts
@ec2_client = conn ? conn.ec2_client : inspec_runner.backend.aws_client(Aws::EC2::Client)
@ec2_resource = conn ? conn.ec2_resource : inspec_runner.backend.aws_resource(Aws::EC2::Resource, {})
@iam_resource = conn ? conn.iam_resource : inspec_runner.backend.aws_resource(Aws::IAM::Resource, {})
end
# TODO: DRY up, see https://github.com/chef/inspec/issues/2633
# Copied from resource_support/aws/aws_resource_mixin.rb
def catch_aws_errors
yield
rescue Aws::Errors::MissingCredentialsError
# The AWS error here is unhelpful:
# "unable to sign request without credentials set"
Inspec::Log.error "It appears that you have not set your AWS credentials. You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target. See https://docs.chef.io/inspec/platforms/ for details."
fail_resource("No AWS credentials available")
rescue Aws::Errors::ServiceError => e
fail_resource e.message
end
# TODO: DRY up, see https://github.com/chef/inspec/issues/2633
# Copied from resource_support/aws/aws_singular_resource_mixin.rb
def inspec_runner
# When running under inspec-cli, we have an 'inspec' method that
# returns the runner. When running under unit tests, we don't
# have that, but we still have to call this to pass something
# (nil is OK) to the backend.
# TODO: remove with https://github.com/chef/inspec-aws/issues/216
# TODO: remove after rewrite to include AwsSingularResource
inspec if respond_to?(:inspec)
2016-12-15 08:53:01 +00:00
end
def id
return @instance_id if defined?(@instance_id)
catch_aws_errors do
if @opts.is_a?(Hash)
first = @ec2_resource.instances(
{
filters: [{
name: "tag:Name",
values: [@opts[:name]],
}],
}
).first
# catch case where the instance is not known
@instance_id = first.id unless first.nil?
else
@instance_id = @opts
end
2016-12-15 08:53:01 +00:00
end
end
alias instance_id id
def exists?
return false if instance.nil?
instance.exists?
2016-12-15 08:53:01 +00:00
end
# returns the instance state
def state
catch_aws_errors do
instance&.state&.name
end
2016-12-15 08:53:01 +00:00
end
# helper methods for each state
%w{
pending running shutting-down
terminated stopping stopped unknown
}.each do |state_name|
define_method state_name.tr("-", "_") + "?" do
2016-12-15 08:53:01 +00:00
state == state_name
end
end
# attributes that we want to expose
%w{
public_ip_address private_ip_address key_name private_dns_name
public_dns_name subnet_id architecture root_device_type
root_device_name virtualization_type client_token launch_time
instance_type image_id vpc_id
}.each do |attribute|
define_method attribute do
catch_aws_errors do
instance.send(attribute) if instance
end
2016-12-15 08:53:01 +00:00
end
end
# Don't document this - it's a bit hard to use. Our current doctrine
# is to use dumb things, like arrays of strings - use security_group_ids instead.
2016-12-15 08:53:01 +00:00
def security_groups
catch_aws_errors do
@security_groups ||= instance.security_groups.map do |sg|
{ id: sg.group_id, name: sg.group_name }
end
end
2016-12-15 08:53:01 +00:00
end
def security_group_ids
catch_aws_errors do
@security_group_ids ||= instance.security_groups.map(&:group_id)
end
end
2016-12-15 08:53:01 +00:00
def tags
catch_aws_errors do
@tags ||= instance.tags.map { |tag| { key: tag.key, value: tag.value } }
end
2016-12-15 08:53:01 +00:00
end
def to_s
"EC2 Instance #{@display_name}"
end
Add has_roles to aws_ec2_instance (#90) * Rename EC2-instance resources Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add interim updates Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * testing for issue 82 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * completed integration for EC2 roles Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * adding in the beginning of the unit test for issue 82 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Fix unit tests Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add has_roles? examples Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Remove redundant gsub Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * corrected OpenStruct format Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * setting up variable for InstanceProfile Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Updated the unit test so all variables are at the top Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Fixed Rubocop issues that were detected Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Updating README.md to include changes to aws_ec2 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Add failing IT for has_roles? Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add negative IT and fix uncovered issue Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix Rubocop issue Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix integration test Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix Rubocop issues and unit tests Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Pin AWS dependency to '~> 2' Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
2017-10-26 19:56:32 +00:00
def has_roles?
catch_aws_errors do
instance_profile = instance.iam_instance_profile
if instance_profile
roles = @iam_resource.instance_profile(
instance_profile.arn.gsub(%r{^.*\/}, "")
).roles
else
roles = nil
end
roles && !roles.empty?
Add has_roles to aws_ec2_instance (#90) * Rename EC2-instance resources Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add interim updates Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * testing for issue 82 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * completed integration for EC2 roles Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * adding in the beginning of the unit test for issue 82 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Fix unit tests Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add has_roles? examples Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Remove redundant gsub Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * corrected OpenStruct format Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * setting up variable for InstanceProfile Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Updated the unit test so all variables are at the top Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Fixed Rubocop issues that were detected Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Updating README.md to include changes to aws_ec2 Signed-off-by: Simon Varlow <simon.varlow@d2l.com> * Add failing IT for has_roles? Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Add negative IT and fix uncovered issue Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix Rubocop issue Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix integration test Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Fix Rubocop issues and unit tests Signed-off-by: Chris Redekop <chris.redekop@d2l.com> * Pin AWS dependency to '~> 2' Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
2017-10-26 19:56:32 +00:00
end
end
2016-12-15 08:53:01 +00:00
private
def instance
catch_aws_errors { @instance ||= @ec2_resource.instance(id) }
2016-12-15 08:53:01 +00:00
end
end