2018-02-08 01:12:02 +00:00
---
2018-02-08 04:23:05 +00:00
title: About the aws_subnets Resource
2018-02-14 01:42:39 +00:00
platform: aws
2018-02-08 01:12:02 +00:00
---
2018-02-15 02:23:29 +00:00
# aws\_subnets
2018-02-08 01:12:02 +00:00
2018-02-08 04:23:05 +00:00
Use the `aws_subnets` InSpec audit resource to test properties of some or all subnets.
2018-02-08 01:12:02 +00:00
Subnets are networks within a VPC that can have their own block of IP address's and ACL's.
VPCs span across all availability zones in AWS, while a subnet in a VPC can only span a single availability zone.
Separating IP addresses allows for protection if there is a failure in one availability zone.
<br>
## Syntax
2018-02-08 04:23:05 +00:00
An `aws_subnets` resource block uses an optional filter to select a group of subnets and then tests that group.
2018-02-08 01:12:02 +00:00
# Test all subnets within a single vpc
2018-02-08 04:23:05 +00:00
describe aws_subnets.where(vpc_id: 'vpc-12345678') do
2018-02-08 01:12:02 +00:00
its('subnet_ids') { should include 'subnet-12345678' }
its('subnet_ids') { should include 'subnet-98765432' }
end
<br>
## Examples
The following examples show how to use this InSpec audit resource.
2018-02-08 04:23:05 +00:00
As this is the initial release of `aws_subnets`, its limited functionality precludes examples.
2018-02-08 01:12:02 +00:00
<br>
2018-02-14 01:42:39 +00:00
## Filter Criteria
2018-02-08 01:12:02 +00:00
2018-02-14 01:42:39 +00:00
* `vpc_id`, `subnet_id`
2018-02-08 01:12:02 +00:00
2018-02-14 01:42:39 +00:00
## Filter Examples
2018-02-08 01:12:02 +00:00
2018-02-15 02:23:29 +00:00
### vpc\_id
2018-02-08 01:12:02 +00:00
A string identifying the VPC which may or may not contain subnets.
2018-03-20 12:43:30 +00:00
# Look for all subnets within a vpc.
2018-02-08 04:23:05 +00:00
describe aws_subnets.where( vpc_id: 'vpc-12345678') do
2018-02-08 01:12:02 +00:00
its('subnet_ids') { should include 'subnet-12345678' }
its('subnet_ids') { should include 'subnet-98765432' }
end
2018-02-15 02:23:29 +00:00
### subnet\_id
2018-02-08 01:12:02 +00:00
A string identifying a specific subnet.
# Examine a specific subnet
2018-02-08 04:23:05 +00:00
describe aws_subnets.where(subnet_id: 'subnet-12345678') do
2018-02-08 01:12:02 +00:00
its('cidr_blocks') { should eq ['10.0.1.0/24'] }
end
2018-02-14 01:42:39 +00:00
<br>
2018-02-08 01:12:02 +00:00
## Properties
2018-02-14 01:42:39 +00:00
* `cidr_blocks`, `states`, `subnet_ids`,`vpc_ids`
<br>
## Property Examples
2018-02-15 02:23:29 +00:00
### cidr\_blocks
2018-02-08 01:12:02 +00:00
Provides a string that contains the cidr block of ip addresses that can be given in the subnet.
# Examine a specific subnets cidr_blocks
2018-02-08 04:23:05 +00:00
describe aws_subnets.where( subnet_id: 'subnet-12345678') do
2018-02-08 01:12:02 +00:00
its('cidr_blocks') { should eq ['10.0.1.0/24'] }
end
2018-02-14 01:42:39 +00:00
### states
2018-02-08 01:12:02 +00:00
2018-02-14 01:42:39 +00:00
Provides an array of strings including if the subnets are available.
2018-02-08 01:12:02 +00:00
2018-02-14 01:42:39 +00:00
# Examine a specific vpcs Subnet IDs
describe aws_subnets.where( vpc_id: 'vpc-12345678') do
its('states') { should_not include 'pending' }
2018-02-08 01:12:02 +00:00
end
2018-02-15 02:23:29 +00:00
### subnet\_ids
2018-02-08 01:12:02 +00:00
Provides an array of strings containing the subnet IDs associated with a vpc.
# Examine a specific vpcs Subnet IDs
2018-02-08 04:23:05 +00:00
describe aws_subnets.where( vpc_id: 'vpc-12345678') do
2018-02-08 01:12:02 +00:00
its('subnet_ids') { should include 'subnet-12345678' }
its('subnet_ids') { should include 'subnet-98765432' }
end
2018-02-15 02:23:29 +00:00
### vpc\_ids
2018-02-08 01:12:02 +00:00
2018-02-14 01:42:39 +00:00
Provides an array containing a string of the vpc_id associated with a subnet.
# Examine a specific subnets VPC IDS
describe aws_subnets.where( subnet_id: 'subnet-12345678') do
its('vpc_ids') { should include 'vpc-12345678' }
end
<br>
## Matchers
2018-02-16 03:07:18 +00:00
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
2018-02-14 01:42:39 +00:00
### exists
The control will pass if the filter returns at least one result. Use `should_not` if you expect zero matches.
# You dont always have subnets, so you can test if there are any.
describe aws_subnets
it { should exist }
end
# Test that there are subnets in a vpc
describe aws_subnets.where(vpc_id: 'vpc-12345678')
it { should exist }
2018-02-08 01:12:02 +00:00
end
2018-05-10 18:57:53 +00:00
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeSubnets` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).