inspec/test/aws/default/verify/controls/aws_cloudtrail_trail.rb

71 lines
2.5 KiB
Ruby
Raw Normal View History

fixtures = {}
[
'cloudtrail_trail_1_cloud_watch_logs_group_arn',
'cloudtrail_trail_1_cloud_watch_logs_role_arn',
'cloudtrail_trail_1_key_arn',
'cloudtrail_trail_1_name',
'cloudtrail_trail_1_arn',
'cloudtrail_trail_1_s3_bucket_name',
'cloudtrail_trail_2_name',
'cloudtrail_trail_2_arn',
'cloudtrail_trail_2_s3_bucket_name'
].each do |fixture_name|
fixtures[fixture_name] = attribute(
fixture_name,
default: "default.#{fixture_name}",
description: 'See ../build/cloudtrail.tf',
)
end
control "aws_cloudtrail_trail recall" do
describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_1_name']) do
it { should exist}
end
describe aws_cloudtrail_trail(trail_name: fixtures['cloudtrail_trail_2_name']) do
it { should exist }
end
describe aws_cloudtrail_trail('non-existant-trail') do
it { should_not exist }
end
end
control "aws_cloudtrail_trail properties" do
describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_1_name']) do
its('s3_bucket_name') { should eq fixtures['cloudtrail_trail_1_s3_bucket_name'] }
its('trail_arn') { should eq fixtures['cloudtrail_trail_1_arn'] }
its('cloud_watch_logs_role_arn') { should eq fixtures['cloudtrail_trail_1_cloud_watch_logs_role_arn'] }
its('cloud_watch_logs_log_group_arn') { should eq fixtures['cloudtrail_trail_1_cloud_watch_logs_group_arn']}
its('kms_key_id') { should eq fixtures['cloudtrail_trail_1_key_arn'] }
end
describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_2_name']) do
its('s3_bucket_name') { should eq fixtures['cloudtrail_trail_2_s3_bucket_name'] }
its('trail_arn') { should eq fixtures['cloudtrail_trail_2_arn'] }
its('cloud_watch_logs_role_arn') { should be_nil }
its('cloud_watch_logs_log_group_arn') { should be_nil}
its('kms_key_id') { should be_nil }
end
end
control "aws_cloudtrail_trail matchers" do
describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_1_name']) do
it { should be_encrypted }
end
describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_2_name']) do
it { should_not be_encrypted }
end
describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_1_name']) do
it { should be_multi_region_trail }
end
describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_2_name']) do
it { should_not be_multi_region_trail }
end
describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_1_name']) do
it { should be_log_file_validation_enabled }
end
describe aws_cloudtrail_trail(fixtures['cloudtrail_trail_2_name']) do
it { should_not be_log_file_validation_enabled }
end
end