Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 07:04:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

merging in master

Browse source 
Signed-off-by: Will Dower <wdower@mitre.org>
This commit is contained in:
Will Dower 2022-03-07 15:53:10 -05:00
commit 23d1749ee8
585 changed files with 8769 additions and 13173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.expeditor/announce-release.sh
View file

@ -13,7 +13,7 @@ $(cat release-notes.md)
---
## Get the Build
You can download binaries directly from [downloads.chef.io](https://downloads.chef.io/$EXPEDITOR_PRODUCT_KEY/$EXPEDITOR_VERSION).
You can download binaries directly from [Chef Downloads](https://www.chef.io/downloads/tools/$EXPEDITOR_PRODUCT_KEY?v=$EXPEDITOR_VERSION).
EOH
)

2
.expeditor/artifact.habitat.yml
View file

@ -15,7 +15,7 @@ steps:
expeditor:
executor:
docker:
image: ruby:2.6
image: ruby:3.0
privileged: true
- label: ":windows: Validate Habitat Builds of Chef InSpec"

15
.expeditor/buildkite/artifact.habitat.test.ps1
View file

@ -15,12 +15,15 @@ $Properties = 'Caption', 'CSName', 'Version', 'BuildType', 'OSArchitecture'
Get-CimInstance Win32_OperatingSystem | Select-Object $Properties | Format-Table -AutoSize
Write-Host "--- Installing the version of Habitat required"
$hab_version = (hab --version)
$hab_minor_version = $hab_version.split('.')[1]
if ( -not $? -Or $hab_minor_version -lt 85 ) {
Install-Habitat --version 0.85.0.20190916
} else {
Write-Host ":habicat: I think I have the version I need to build."
try {
hab --version
}
catch {
Set-ExecutionPolicy Bypass -Scope Process -Force
Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1'))
}
finally {
Write-Host ":habicat: I think I have the version I need to build."
}

2
.expeditor/buildkite/artifact.habitat.test.sh
View file

@ -16,7 +16,7 @@ uname -a
echo "--- Installing Habitat"
id -a
curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | bash
curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | bash
echo "--- Generating fake origin key"

3
.expeditor/buildkite/verify.ps1
View file

@ -5,7 +5,8 @@ ruby -v
bundle --version
echo "--- bundle install"
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
bundle config set --local without tools maintenance deploy
bundle install --jobs=7 --retry=3
echo "+++ bundle exec rake test:parallel"
bundle exec rake test:parallel K=4

43
.expeditor/buildkite/verify.sh
View file

@ -10,7 +10,7 @@ useradd -m -U --uid 2000 normal
echo "normal ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/normal
echo "--- updating rubygems"
gem update -N --system 3.0.6 --force
gem update -N --system 3.2.3 --force
echo "--- system details"
uname -a
@ -20,12 +20,25 @@ mount
df /tmp
echo ${TMPDIR:-unknown}
if [ -n "${CI_ENABLE_COVERAGE:-}" ]; then
# Fetch token from vault ASAP so that long-running tests don't cause our vault token to expire
echo "--- installing vault"
export VAULT_VERSION=1.9.3
export VAULT_HOME=$HOME/vault
curl --create-dirs -sSLo $VAULT_HOME/vault.zip https://releases.hashicorp.com/vault/$VAULT_VERSION/vault_${VAULT_VERSION}_linux_amd64.zip
unzip -o $VAULT_HOME/vault.zip -d $VAULT_HOME
echo "--- fetching Sonar token from vault"
export SONAR_TOKEN=$($VAULT_HOME/vault kv get -field token secret/inspec/sonar)
fi
echo "--- pull bundle cache"
pull_bundle
echo "--- bundle"
bundle config --local path vendor/bundle
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
bundle config set --local without tools maintenance deploy
bundle install --jobs=7 --retry=3
echo "--- push bundle cache"
push_bundle
@ -36,3 +49,29 @@ echo "+++ bundle exec rake ${RAKE_TASK:-}"
# su normal -c "bundle exec rake ${RAKE_TASK:-}"
# shellcheck disable=SC2086
bundle exec rake ${RAKE_TASK:-}
RAKE_EXIT=$?
# If coverage is enabled, then we need to pick up the coverage/coverage.json file
if [ -n "${CI_ENABLE_COVERAGE:-}" ]; then
echo "--- installing sonarscanner"
export SONAR_SCANNER_VERSION=4.6.2.2472
export SONAR_SCANNER_HOME=$HOME/.sonar/sonar-scanner-$SONAR_SCANNER_VERSION-linux
curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
export PATH=$SONAR_SCANNER_HOME/bin:$PATH
export SONAR_SCANNER_OPTS="-server"
# Delete the vendor/ directory. I've tried to exclude it using sonar.exclusions,
# but that appears to get ignored, and we end up analyzing the gemfile install
# which blows our analysis.
echo "--- deleting installed gems"
rm -rf vendor/
# See sonar-project.properties for additional settings
echo "--- running sonarscanner"
sonar-scanner \
-Dsonar.sources=. \
-Dsonar.host.url=https://sonarcloud.io
fi
exit $RAKE_EXIT

3
.expeditor/buildkite/wwwrelease.sh
View file

@ -7,7 +7,8 @@ set -ue
echo "--- bundle install"
cd www
bundle install --jobs=7 --retry=3 --without tools maintenance deploy
bundle config set --local without tools maintenance deploy
bundle install --jobs=7 --retry=3
echo "+++ bundle exec rake"
bundle exec rake www V=1 PUSH=1

38
.expeditor/config.yml
View file

@ -18,11 +18,16 @@ pipelines:
- HAB_NOCOLORING: "true"
- HAB_STUDIO_SECRET_HAB_NONINTERACTIVE: "true"
- docker/build
- omnibus/release
- omnibus/release:
env:
# The git cache is corrupt more often than not. This always purges the cache.
# https://chefio.atlassian.net/wiki/spaces/RELENGKB/pages/2204336129/Resolving+git+cache+build+errors+in+Omnibus
- EXPIRE_CACHE: 1
- omnibus/adhoc:
definition: .expeditor/release.omnibus.yml
env:
- ADHOC: true
- EXPIRE_CACHE: 1
- verify:
description: Pull Request validation tests
public: true
@ -31,6 +36,15 @@ pipelines:
- SLOW: 1
- NO_AWS: 1
- MT_CPU: 5
- coverage:
description: Unit test coverage
# Private due to use of tokens
trigger: pull_request
env:
- LANG: "C.UTF-8"
- SLOW: 1
- NO_AWS: 1
- MT_CPU: 5
- integration/resources:
description: Test core resources with test-kitchen.
definition: .expeditor/integration.resources.yml
@ -67,19 +81,18 @@ slack:
github:
delete_branch_on_merge: true
minor_bump_labels:
- "Expeditor: Bump Minor Version"
version_tag_format: v{{version}}
minor_bump_labels:
- "Expeditor: Bump Minor Version"
# allow bumping the major release via label
major_bump_labels:
- "Expeditor: Bump Major Version"
release_branches:
- master:
- main:
version_constraint: 5.*
- inspec-4:
version_constraint: 4.*
- 1-stable:
version_constraint: 1.*
- 2-stable:
version_constraint: 2.*
- 3-stable:
version_constraint: 3.*
# We need to ensure all configs are in place to appropriately support this branch
# - expeditor-development:
# version_constraint: 4.*
@ -151,6 +164,9 @@ subscriptions:
actions:
- built_in:promote_docker_images
- built_in:promote_habitat_packages
- workload: project_promoted:{{agent_id}}:*
actions:
- built_in:promote_artifactory_artifact
- workload: artifact_published:stable:inspec:{{version_constraint}}
actions:
- bash:.expeditor/update_dockerfile.sh
@ -175,4 +191,4 @@ subscriptions:
- built_in:github_auto_assign_author:
only_if_team_member:
- inspec/owners
- inspec/inspec-core-team
- inspec/inspec-core-team

19
.expeditor/coverage.pipeline.yml Normal file
View file

@ -0,0 +1,19 @@
---
expeditor:
defaults:
buildkite:
timeout_in_minutes: 45
retry:
automatic:
limit: 1
steps:
- label: coverage-ruby-3.0
command:
- CI_ENABLE_COVERAGE=1 RAKE_TASK=test:unit /workdir/.expeditor/buildkite/verify.sh
expeditor:
secrets: true
executor:
docker:
image: ruby:3.0

19
.expeditor/integration.resources.yml
View file

@ -71,6 +71,7 @@ steps:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-debian-10"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
@ -118,6 +119,7 @@ steps:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-oraclelinux-8"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
@ -150,6 +152,22 @@ steps:
privileged: true
single-use: true
- label: "Kitchen: resources-ubuntu-1604"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
- . /var/lib/buildkite-agent/.asdf/asdf.sh
- bundle exec kitchen test resources-ubuntu-1604
artifact_paths:
- $PWD/.kitchen/logs/kitchen.log
env:
KITCHEN_YAML: kitchen.dokken.yml
DOCKER: 1
expeditor:
executor:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-ubuntu-1804"
commands:
- .expeditor/buildkite/bk_linux_exec.sh
@ -165,6 +183,7 @@ steps:
linux:
privileged: true
single-use: true
- label: "Kitchen: resources-ubuntu-2004"
commands:
- .expeditor/buildkite/bk_linux_exec.sh

12
.expeditor/release.omnibus.yml
View file

@ -11,8 +11,10 @@ builder-to-testers-map:
debian-9-x86_64:
- debian-9-x86_64
- debian-10-x86_64
- debian-11-x86_64
debian-10-aarch64:
- debian-10-aarch64
- debian-11-aarch64
el-6-x86_64:
- el-6-x86_64
el-7-aarch64:
@ -25,12 +27,13 @@ builder-to-testers-map:
- el-8-aarch64
el-8-x86_64:
- el-8-x86_64
mac_os_x-10.14-x86_64:
- mac_os_x-10.14-x86_64
mac_os_x-10.15-x86_64:
- mac_os_x-10.15-x86_64
- mac_os_x-11-x86_64
- mac_os_x-12-x86_64
mac_os_x-11-arm64:
- mac_os_x-11-arm64
- mac_os_x-12-arm64
sles-12-x86_64:
- sles-12-x86_64
- sles-15-x86_64
@ -39,7 +42,8 @@ builder-to-testers-map:
ubuntu-18.04-aarch64:
- ubuntu-18.04-aarch64
- ubuntu-20.04-aarch64
ubuntu-18.04-x86_64:
ubuntu-16.04-x86_64:
- ubuntu-16.04-x86_64
- ubuntu-18.04-x86_64
- ubuntu-20.04-x86_64
windows-2012r2-x86_64:
@ -47,5 +51,7 @@ builder-to-testers-map:
- windows-2012r2-x86_64
- windows-2016-x86_64
- windows-2019-x86_64
- windows-2022-x86_64
- windows-8-x86_64
- windows-10-x86_64
- windows-11-x86_64

2
.expeditor/update_dockerfile.sh
View file

@ -3,7 +3,7 @@
# This file updates the default VERSION build argument in the Dockerfile to the
# VERSION passed in to the file via environment variables.
#
# This ensures the Dockerfile in inspec master will list the version of the latest
# This ensures the Dockerfile in inspec main will list the version of the latest
# stable release for any community member who wishes to build their own container
# from scratch.
#

36
.expeditor/verify.pipeline.yml
View file

@ -9,29 +9,13 @@ expeditor:
steps:
- label: lint-ruby-2.6
- label: lint-ruby-3.0
command:
- RAKE_TASK=test:lint /workdir/.expeditor/buildkite/verify.sh
expeditor:
executor:
docker:
image: ruby:2.6
- label: run-tests-ruby-2.5
command:
- /workdir/.expeditor/buildkite/verify.sh
expeditor:
executor:
docker:
image: ruby:2.5
- label: run-tests-ruby-2.6
command:
- /workdir/.expeditor/buildkite/verify.sh
expeditor:
executor:
docker:
image: ruby:2.6
image: ruby:3.0
- label: run-tests-ruby-2.7
command:
@ -41,15 +25,24 @@ steps:
docker:
image: ruby:2.7
- label: isolated-tests-ruby-2.6
- label: run-tests-ruby-3.0
command:
- /workdir/.expeditor/buildkite/verify.sh
expeditor:
executor:
docker:
image: ruby:3.0
- label: isolated-tests-ruby-3.0
command:
- RAKE_TASK=test:isolated /workdir/.expeditor/buildkite/verify.sh
expeditor:
executor:
docker:
image: ruby:2.6
image: ruby:3.0
- label: run-tests-ruby-2.6-windows
- label: run-tests-ruby-3.0-windows
command:
- /workdir/.expeditor/buildkite/verify.ps1
expeditor:
@ -59,3 +52,4 @@ steps:
- BUILDKITE
host_os: windows
shell: ["powershell", "-Command"]
image: rubydistros/windows-2019:3.0

24
.github/dependabot.yml vendored
View file

@ -1,12 +1,26 @@
version: 2
updates:
- package-ecosystem: bundler
target-branch: "main"
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 10
ignore:
- dependency-name: chefstyle
versions:
- 1.6.1
- 1.6.2
- package-ecosystem: bundler
target-branch: "main"
directory: "/omnibus"
schedule:
interval: daily
open-pull-requests-limit: 10
- package-ecosystem: bundler
target-branch: "inspec-4"
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 10
- package-ecosystem: bundler
target-branch: "inspec-4"
directory: "/omnibus"
schedule:
interval: daily
open-pull-requests-limit: 10

3
.github/labeler.yml vendored Normal file
View file

@ -0,0 +1,3 @@
documentation:
- 'docs-chef-io/**/*'

11
.github/workflows/labeler.yml vendored Normal file
View file

@ -0,0 +1,11 @@
name: "Pull Request Labeler"
on:
- pull_request_target
jobs:
triage:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@main
with:
repo-token: "${{ secrets.GITHUB_TOKEN }}"

5
.gitignore vendored
View file

@ -28,6 +28,7 @@ inspec-deprecations-in-cfg.txt
inspec-deprecations-in-lib.txt
kitchen.local.yml
meta-profile-0.2.0.tar.gz
inheritance-1.0.0.tar.gz
omnibus/.cache
omnibus/pkg
profile-1.0.0.tar.gz
@ -36,6 +37,4 @@ results/
terraform.tfstate*
terraform.tfstate.backup
terraform.tfvars
test/**/*.lock
www/Gemfile.lock
www/source/index.html.slim
test/**/*.lock

2
.rubocop.yml
View file

@ -5,7 +5,7 @@ AllCops:
- 'test/fixtures/profiles/**/*.rb'
- 'test/fixtures/config_dirs/**/*.rb'
- 'lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/**/*'
- 'examples/**/controls/*.rb'
- 'examples/**/*.rb'
- 'vendor/bundle/**/*'
Layout/ArgumentAlignment:
EnforcedStyle: with_first_argument

222
CHANGELOG.md
View file

@ -1,25 +1,216 @@
# Change Log
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
<!-- latest_release 4.38.7 -->
## [v4.38.7](https://github.com/inspec/inspec/tree/v4.38.7) (2021-07-08)
#### Enhancements
- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105))
<!-- latest_release -->
<!-- release_rollup since=4.38.3 -->
### Changes since 4.38.3 release
#### Enhancements
- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.38.7 -->
- Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) <!-- 4.38.6 -->
<!-- latest_release unreleased -->
## Unreleased
#### Merged Pull Requests
- Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) <!-- 4.38.5 -->
- Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) <!-- 4.38.4 -->
- Pin openssl to 1.1.1m [#5851](https://github.com/inspec/inspec/pull/5851) ([jayashrig158](https://github.com/jayashrig158))
<!-- latest_release -->
<!-- release_rollup since=4.52.9 -->
### Changes since 4.52.9 release
#### New Features
- CFINSPEC-3 Added kernel_parameters resource [#5782](https://github.com/inspec/inspec/pull/5782) ([Nik08](https://github.com/Nik08)) <!-- 4.56.0 -->
- Adds user_permissions property and be_inherited matcher to the file resource for Windows. [#5775](https://github.com/inspec/inspec/pull/5775) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.55.0 -->
- Adds user_permissions property and be_inherited matcher to the registry_key resource [#5778](https://github.com/inspec/inspec/pull/5778) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.54.0 -->
- Added Timezone Resource [#5758](https://github.com/inspec/inspec/pull/5758) ([Nik08](https://github.com/Nik08)) <!-- 4.53.0 -->
#### Merged Pull Requests
- Pin openssl to 1.1.1m [#5851](https://github.com/inspec/inspec/pull/5851) ([jayashrig158](https://github.com/jayashrig158)) <!-- 5.1.3 -->
- CFINSPEC-39 Set sonarscanner options using properties file [#5872](https://github.com/inspec/inspec/pull/5872) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 5.1.3 -->
- No diff fix [#5884](https://github.com/inspec/inspec/pull/5884) ([wdower](https://github.com/wdower)) <!-- 5.1.2 -->
- Delete resource docs from inspec/inspec [#5868](https://github.com/inspec/inspec/pull/5868) ([IanMadd](https://github.com/IanMadd)) <!-- 5.1.1 -->
- CFINSPEC-2 Added options to allow winrm SSL connection with certificates [#5793](https://github.com/inspec/inspec/pull/5793) ([Nik08](https://github.com/Nik08)) <!-- 5.1.0 -->
- Descriptions for all the schema attributes [#5790](https://github.com/inspec/inspec/pull/5790) ([Amndeep7](https://github.com/Amndeep7)) <!-- 5.0.6 -->
- CFINSPEC-45: Update rspec version to 3.11 [#5837](https://github.com/inspec/inspec/pull/5837) ([Vasu1105](https://github.com/Vasu1105)) <!-- 5.0.5 -->
- Always expire the git cache when running omnibus jobs [#5865](https://github.com/inspec/inspec/pull/5865) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 5.0.4 -->
- CFINSPEC-38: Fix test failing after release branch update. [#5862](https://github.com/inspec/inspec/pull/5862) ([Vasu1105](https://github.com/Vasu1105)) <!-- 5.0.3 -->
- Make sure verify pipeline is marked public [#5858](https://github.com/inspec/inspec/pull/5858) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 5.0.2 -->
- Add sonarscanner [#5856](https://github.com/inspec/inspec/pull/5856) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 5.0.1 -->
- Update README to update ruby version support. [#5855](https://github.com/inspec/inspec/pull/5855) ([Vasu1105](https://github.com/Vasu1105)) <!-- 5.0.0 -->
- CFINSPEC-17 Ruby 3 support [#5822](https://github.com/inspec/inspec/pull/5822) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.56.10 -->
- Fix The Broken Links [#5840](https://github.com/inspec/inspec/pull/5840) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) <!-- 4.56.9 -->
- Bump omnibus-software from `c7a43ec` to `a4f4849` in /omnibus [#5849](https://github.com/inspec/inspec/pull/5849) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.56.8 -->
- Resolve bugs detected on SonarCloud [#5845](https://github.com/inspec/inspec/pull/5845) ([ahasunos](https://github.com/ahasunos)) <!-- 4.56.7 -->
- CFINSPEC-43 Init plugin functionality extended for streaming_reporter [#5836](https://github.com/inspec/inspec/pull/5836) ([Nik08](https://github.com/Nik08)) <!-- 4.56.6 -->
- CFINSPEC-38 Adds label in expeditor configuration file for major version bump [#5839](https://github.com/inspec/inspec/pull/5839) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.56.5 -->
- CFINSPEC-38 Adds new release branch for InSpec 5 release. [#5835](https://github.com/inspec/inspec/pull/5835) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.56.4 -->
- Bump omnibus from `2bf77bb` to `55e74ac` in /omnibus [#5813](https://github.com/inspec/inspec/pull/5813) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.56.3 -->
- Bump omnibus-software from `b646bed` to `c7a43ec` in /omnibus [#5824](https://github.com/inspec/inspec/pull/5824) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.56.2 -->
- CFINSPEC-30 Fix sestatus command not found error on Amazon Linux 2 [#5828](https://github.com/inspec/inspec/pull/5828) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.56.1 -->
- [WIP] Setting up test coverage reporting [#5823](https://github.com/inspec/inspec/pull/5823) ([clintoncwolfe](https://github.com/clintoncwolfe)) <!-- 4.55.10 -->
- CFINSPEC-15 Allows inheritance of core resource into the custom resource. [#5816](https://github.com/inspec/inspec/pull/5816) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.55.9 -->
- CFINSPEC-5 Added more detailed description about waivers expiration date. [#5806](https://github.com/inspec/inspec/pull/5806) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.55.8 -->
- CFINSPEC-4 Fix in grub_conf resource to capture non indented grub conf values [#5810](https://github.com/inspec/inspec/pull/5810) ([Nik08](https://github.com/Nik08)) <!-- 4.55.7 -->
- Bump ffi from 1.15.4 to 1.15.5 in /omnibus [#5791](https://github.com/inspec/inspec/pull/5791) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.55.6 -->
- Bump omnibus-software from `c2fb9a4` to `b646bed` in /omnibus [#5808](https://github.com/inspec/inspec/pull/5808) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.55.5 -->
- IP Table resource: Added option to ignore rule comments [#5777](https://github.com/inspec/inspec/pull/5777) ([Nik08](https://github.com/Nik08)) <!-- 4.55.4 -->
- Fix for dependent profiles to run with --insecure [#5799](https://github.com/inspec/inspec/pull/5799) ([Nik08](https://github.com/Nik08)) <!-- 4.55.3 -->
- Bump omnibus-software from `94ef29b` to `c2fb9a4` in /omnibus [#5804](https://github.com/inspec/inspec/pull/5804) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.55.2 -->
- Latest package version fetching regex fix - Package resource [#5797](https://github.com/inspec/inspec/pull/5797) ([Nik08](https://github.com/Nik08)) <!-- 4.55.1 -->
- Check for latest - package resource [#5771](https://github.com/inspec/inspec/pull/5771) ([Nik08](https://github.com/Nik08)) <!-- 4.52.17 -->
- Mssql session fix : Parsing multiline results [#5776](https://github.com/inspec/inspec/pull/5776) ([Nik08](https://github.com/Nik08)) <!-- 4.52.16 -->
- Fix broken link in README. Obvious fix. [#5772](https://github.com/inspec/inspec/pull/5772) ([guyzyl](https://github.com/guyzyl)) <!-- 4.52.15 -->
- Fix downloads links [#5773](https://github.com/inspec/inspec/pull/5773) ([IanMadd](https://github.com/IanMadd)) <!-- 4.52.14 -->
- Remove support for EOL Ruby 2.5 [#5783](https://github.com/inspec/inspec/pull/5783) ([tas50](https://github.com/tas50)) <!-- 4.52.13 -->
- Bump omnibus-software from `d2525ab` to `94ef29b` in /omnibus [#5788](https://github.com/inspec/inspec/pull/5788) ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 4.52.12 -->
- Adds esx platform support for bash resource [#5785](https://github.com/inspec/inspec/pull/5785) ([Vasu1105](https://github.com/Vasu1105)) <!-- 4.52.11 -->
- Bump Hugo to 0.91.2 [#5780](https://github.com/inspec/inspec/pull/5780) ([IanMadd](https://github.com/IanMadd)) <!-- 4.52.10 -->
<!-- release_rollup -->
<!-- latest_stable_release -->
## [v4.52.9](https://github.com/inspec/inspec/tree/v4.52.9) (2021-12-20)
#### New Features
- Target support for Alpine Linux [#5744](https://github.com/inspec/inspec/pull/5744) ([Nik08](https://github.com/Nik08))
- Implemented CLI option for executing private supermarket profiles [#5749](https://github.com/inspec/inspec/pull/5749) ([Nik08](https://github.com/Nik08))
#### Bug Fixes
- Fix ibmdb2_session resource : Added double quotes around the IBM db2 query [#5742](https://github.com/inspec/inspec/pull/5742) ([Vasu1105](https://github.com/Vasu1105))
#### Merged Pull Requests
- Fix typos and improve code highlighting in docs [#5692](https://github.com/inspec/inspec/pull/5692) ([tas50](https://github.com/tas50))
- Update dsl_inspec.md [#5721](https://github.com/inspec/inspec/pull/5721) ([paulcalabro](https://github.com/paulcalabro))
- Remove the instance_eval and eval_gemfile calls in omnibus [#5733](https://github.com/inspec/inspec/pull/5733) ([tas50](https://github.com/tas50))
- Fix docs to make property listing in the website docs more useful. [#5677](https://github.com/inspec/inspec/pull/5677) ([Vasu1105](https://github.com/Vasu1105))
- Fix FreeBSD service enabled check substring edge-case [#5606](https://github.com/inspec/inspec/pull/5606) ([zofrex](https://github.com/zofrex))
- Bump omnibus-software from `24f508c` to `7501e20` in /omnibus [#5735](https://github.com/inspec/inspec/pull/5735) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Bump omnibus from `37897ad` to `2c309fa` in /omnibus [#5736](https://github.com/inspec/inspec/pull/5736) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Bump test-kitchen from 3.1.0 to 3.2.0 in /omnibus [#5737](https://github.com/inspec/inspec/pull/5737) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Fixes some minor docs formatting problems [#5739](https://github.com/inspec/inspec/pull/5739) ([IanMadd](https://github.com/IanMadd))
- Bump kitchen-vagrant from 1.10.0 to 1.11.0 in /omnibus [#5740](https://github.com/inspec/inspec/pull/5740) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Bump omnibus-software from `7501e20` to `8560231` in /omnibus [#5752](https://github.com/inspec/inspec/pull/5752) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Stop producing packages for macOS 10.14 [#5716](https://github.com/inspec/inspec/pull/5716) ([tas50](https://github.com/tas50))
- Bump test-kitchen from 3.2.0 to 3.2.2 in /omnibus [#5755](https://github.com/inspec/inspec/pull/5755) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Oracle session fix when nil in query output [#5717](https://github.com/inspec/inspec/pull/5717) ([Nik08](https://github.com/Nik08))
- Fix docs to make property listing in the website docs more useful. [#5746](https://github.com/inspec/inspec/pull/5746) ([Vasu1105](https://github.com/Vasu1105))
- Fix a bunch of docs formatting problems [#5763](https://github.com/inspec/inspec/pull/5763) ([IanMadd](https://github.com/IanMadd))
- Fix: Alpine packages list command to only list installed packages [#5765](https://github.com/inspec/inspec/pull/5765) ([Nik08](https://github.com/Nik08))
- Bump omnibus-software from `8560231` to `d2525ab` in /omnibus [#5767](https://github.com/inspec/inspec/pull/5767) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Bump omnibus from `2c309fa` to `2bf77bb` in /omnibus [#5764](https://github.com/inspec/inspec/pull/5764) ([dependabot[bot]](https://github.com/dependabot[bot]))
- Active support version fix for ruby versions less then 2.7 [#5770](https://github.com/inspec/inspec/pull/5770) ([Nik08](https://github.com/Nik08))
- Apply cookstyle to the example profile [#5680](https://github.com/inspec/inspec/pull/5680) ([tas50](https://github.com/tas50))
- Adds tls1.3 support in ssl resource. [#5762](https://github.com/inspec/inspec/pull/5762) ([Vasu1105](https://github.com/Vasu1105))
<!-- latest_stable_release -->
## [v4.50.3](https://github.com/inspec/inspec/tree/v4.50.3) (2021-11-19)
#### New Features
- Add Windows support for http resource. [#5697](https://github.com/inspec/inspec/pull/5697) ([Vasu1105](https://github.com/Vasu1105))
#### Bug Fixes
- Updates habitat test for windows to match install logic for linux [#5718](https://github.com/inspec/inspec/pull/5718) ([collinmcneese](https://github.com/collinmcneese))
#### Merged Pull Requests
- Move cookstyle dep from inspec gemspec to inspec-core, add rake [#5722](https://github.com/inspec/inspec/pull/5722) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Disable CookStyle integration on Windows [#5724](https://github.com/inspec/inspec/pull/5724) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Move rake and cookstyle deps out of inspec core gemspec [#5732](https://github.com/inspec/inspec/pull/5732) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Remove license note + update resource count in main docs page [#5639](https://github.com/inspec/inspec/pull/5639) ([tas50](https://github.com/tas50))
## [v4.49.0](https://github.com/inspec/inspec/tree/v4.49.0) (2021-10-27)
#### New Features
- Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08))
#### Merged Pull Requests
- Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501))
- Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50))
- Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50))
- Update the unit test files to use latest versions of OS rather than the older. [#5681](https://github.com/inspec/inspec/pull/5681) ([Vasu1105](https://github.com/Vasu1105))
- Improvements to the inspec.yml docs [#5679](https://github.com/inspec/inspec/pull/5679) ([tas50](https://github.com/tas50))
- Update GCS Storage class list [#5676](https://github.com/inspec/inspec/pull/5676) ([pradeepbhadani](https://github.com/pradeepbhadani))
- Group &amp; User Resources - Resolve name case-sensitivity issue for windows [#5667](https://github.com/inspec/inspec/pull/5667) ([Nik08](https://github.com/Nik08))
- Renamed Inspec DSL to Inspec Language [#5694](https://github.com/inspec/inspec/pull/5694) ([dishanktiwari2501](https://github.com/dishanktiwari2501))
- Fix google_container_node_pool.md [#5696](https://github.com/inspec/inspec/pull/5696) ([pradeepbhadani](https://github.com/pradeepbhadani))
- Enable repeatable builds by bundling Gemfile.lock [#5688](https://github.com/inspec/inspec/pull/5688) ([tas50](https://github.com/tas50))
- Oracle db session resource fix - when invoking query using os user and db role [#5702](https://github.com/inspec/inspec/pull/5702) ([Nik08](https://github.com/Nik08))
- Fix Oracle db session resource issues [#5706](https://github.com/inspec/inspec/pull/5706) ([Nik08](https://github.com/Nik08))
- InSpec Waivers: --filter-waived-controls [#5327](https://github.com/inspec/inspec/pull/5327) ([Schwad](https://github.com/Schwad))
- Fix windows_firewall resource fails to validate more than 1 rule depending on how it&#39;s executed [#5704](https://github.com/inspec/inspec/pull/5704) ([Vasu1105](https://github.com/Vasu1105))
- Integrate InSpec check with Cookstyle [#5618](https://github.com/inspec/inspec/pull/5618) ([Nik08](https://github.com/Nik08))
## [v4.46.13](https://github.com/inspec/inspec/tree/v4.46.13) (2021-09-30)
#### New Features
- Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105))
- adds chrony_conf InSpec resource [#5589](https://github.com/inspec/inspec/pull/5589) ([collinmcneese](https://github.com/collinmcneese))
#### Enhancements
- Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105))
- Add option in `postgres_session` resource to establish socket connection [#5664](https://github.com/inspec/inspec/pull/5664) ([Nik08](https://github.com/Nik08))
#### Bug Fixes
- Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe))
- Fix --tags filter for dependent profiles [#5657](https://github.com/inspec/inspec/pull/5657) ([Nik08](https://github.com/Nik08))
#### Merged Pull Requests
- Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd))
- Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd))
- Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd))
- Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105))
- Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08))
- Add support for Oracle Configuration Resources (Oracle Db Conf &amp; Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08))
- Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08))
- Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw))
- Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105))
- Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd))
- Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp))
- Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus))
- Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50))
- Fix --controls option was not working for dependent profile [#5656](https://github.com/inspec/inspec/pull/5656) ([Vasu1105](https://github.com/Vasu1105))
- Fix opa_cli and opa_api resource unable to verify empty result {} [#5671](https://github.com/inspec/inspec/pull/5671) ([Vasu1105](https://github.com/Vasu1105))
## [v4.41.20](https://github.com/inspec/inspec/tree/v4.41.20) (2021-09-01)
#### Merged Pull Requests
- Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08))
- Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08))
- Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08))
- Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08))
- Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08))
- Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105))
- Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08))
- Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal))
- Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08))
- Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105))
- Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105))
- Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105))
- Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08))
- Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105))
- Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen))
- Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08))
- Fix tags processing issue in profiles [#5643](https://github.com/inspec/inspec/pull/5643) ([Nik08](https://github.com/Nik08))
## [v4.41.2](https://github.com/inspec/inspec/tree/v4.41.2) (2021-08-16)
#### New Features
- Add support for OPA: add resource opa_cli and opa_api [#5592](https://github.com/inspec/inspec/pull/5592) ([Vasu1105](https://github.com/Vasu1105))
#### Bug Fixes
- Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe))
#### Merged Pull Requests
- Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105))
- Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08))
- Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield))
- Fix the typo in documentation file for opa_api resource [#5608](https://github.com/inspec/inspec/pull/5608) ([Vasu1105](https://github.com/Vasu1105))
## [v4.38.9](https://github.com/inspec/inspec/tree/v4.38.9) (2021-07-22)
#### Enhancements
- Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08))
- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105))
#### Merged Pull Requests
- Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08))
- Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08))
- Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105))
- Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe))
- Remove mention of AWS tests from README [#5603](https://github.com/inspec/inspec/pull/5603) ([clintoncwolfe](https://github.com/clintoncwolfe))
## [v4.38.3](https://github.com/inspec/inspec/tree/v4.38.3) (2021-07-02)
#### Merged Pull Requests
@ -27,7 +218,6 @@
- Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin))
- Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd))
- Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe))
<!-- latest_stable_release -->
## [v4.37.30](https://github.com/inspec/inspec/tree/v4.37.30) (2021-06-16)

4
CONTRIBUTING.md
View file

@ -26,7 +26,7 @@ We have a 3 step process for contributions:
Chef Projects are built to last. We strive to ensure high quality throughout the experience. In order to ensure this, we require that all pull requests to Chef projects meet these specifications:
1. **Tests:** To ensure high quality code and protect against future regressions, we require all the code in Chef Projects to have at least unit test coverage. See the [test/unit](https://github.com/inspec/inspec/tree/master/test/unit)
directory for the existing tests and use ```bundle exec rake test``` to run them.
directory for the existing tests and use ```bundle exec rake test``` to run them. It should be good to know InSpec uses [minitest](https://github.com/seattlerb/minitest) as a testing framework.
2. **Green CI Tests:** We use [Travis CI](https://travis-ci.org/) and/or [AppVeyor](https://www.appveyor.com/) CI systems to test all pull requests. We require these test runs to succeed on every pull request before being merged.
3. **Up-to-date Documentation:** Every code change should be reflected in an update for our [documentation](https://github.com/inspec/inspec/tree/master/docs-chef-io). We expect PRs to update the documentation with the code change.
@ -132,7 +132,7 @@ Date: Wed Sep 18 11:44:40 2015 -0700
### Release Formats
Our primary shipping vehicle is operating system specific packages that includes all the requirements of InSpec. We call these Omnibus packages, and they are available from [downloads.chef.io](https://downloads.chef.io/inspec). InSpec is also bundled with recent Chef Infra Client and Chef Workstation toolkits.
Our primary shipping vehicle is operating system specific packages that includes all the requirements of InSpec. We call these Omnibus packages, and they are available from [Chef Downloads](https://www.chef.io/downloads/tools/inspec). InSpec is also bundled with recent Chef Infra Client and Chef Workstation toolkits.
InSpec is also available as a [Docker image](https://hub.docker.com/r/chef/inspec) and a [Habitat package](https://bldr.habitat.sh/#/pkgs/chef/inspec/latest).

2
Dockerfile
View file

@ -1,7 +1,7 @@
FROM ubuntu:18.04
LABEL maintainer="Chef Software, Inc. <docker@chef.io>"
ARG VERSION=4.38.3
ARG VERSION=4.52.9
ARG CHANNEL=stable
ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

23
Gemfile
View file

@ -11,31 +11,15 @@ gem "inspec-bin", path: "./inspec-bin"
gem "ffi", ">= 1.9.14", "!= 1.13.0", "!= 1.14.2"
if Gem.ruby_version.to_s.start_with?("2.5")
# 16.7.23 required ruby 2.6+
gem "chef-utils", "< 16.7.23" # TODO: remove when we drop ruby 2.5
end
# inspec tests depend text output that changed in the 3.10 release
# but our runtime dep is still 3.9+
gem "rspec", ">= 3.10"
def probably_x86?
# We don't currently build on ARM windows, so assume x86 there
return true if RUBY_PLATFORM =~ /windows|mswin|msys|mingw|cygwin/
# Otherwise rely on uname -m
`uname -m`.match?(/^(x86_64|i\d86)/)
end
group :omnibus do
gem "rb-readline"
gem "appbundler"
gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
if probably_x86?
gem "x25519" # ed25519 KEX module, not supported on ARM
end
end
group :test do
@ -52,7 +36,8 @@ group :test do
gem "pry", "~> 0.10"
gem "rake", ">= 10"
gem "ruby-progressbar", "~> 1.8"
gem "simplecov", "~> 0.18"
gem "simplecov", "~> 0.21"
gem "simplecov_json_formatter"
gem "webmock", "~> 3.0"
end
@ -73,3 +58,7 @@ if Gem.ruby_version >= Gem::Version.new("2.7.0")
gem "git"
end
end
if Gem.ruby_version < Gem::Version.new("2.7.0")
gem "activesupport", "6.1.4.4"
end

16
README.md
View file

@ -55,18 +55,13 @@ inspec exec test.rb -t docker://container_id
## Installation
Chef InSpec requires Ruby ( >= 2.6 ). Ruby 2.5 support is limited and requires Bundler with an entry in the Gemfile:
```
# 16.7.23 required ruby 2.6+
gem "chef-utils", "< 16.7.23"
```
Chef InSpec requires Ruby ( >= 2.7 ).
Note: Versions of Chef InSpec 4.0 and later require accepting the EULA to use. Please visit the [license acceptance page](https://docs.chef.io/chef_license_accept.html) on the Chef docs site for more information.
### Install as package
The Chef InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at [Chef InSpec Downloads](https://downloads.chef.io/inspec) or install Chef InSpec via script:
The Chef InSpec package is available for MacOS, RedHat, Ubuntu and Windows. Download the latest package at [Chef InSpec Downloads](https://www.chef.io/downloads/tools/inspec) or install Chef InSpec via script:
```
# RedHat, Ubuntu, and macOS
@ -142,7 +137,7 @@ Finished in 0.04321 seconds (files took 0.54917 seconds to load)
### Install it from source
Note that installing from OS packages from [the download page](https://downloads.chef.io) is the preferred method.
Note that installing from OS packages from [the download page](https://www.chef.io/downloads/tools/inspec) is the preferred method.
That requires [bundler](http://bundler.io/):
@ -322,6 +317,7 @@ Remote Targets
| Gentoo Linux | | x86_64 |
| Arch Linux | | x86_64 |
| HP-UX | 11.31 | ia64 |
| Alpine Linux | | x86_64 |
\**For Windows, PowerShell 5.0 or above is required.*
@ -332,6 +328,7 @@ In addition, runtime support is provided for:
| macOS | 10.14+ | x86_64 |
| Debian | 9, 10 | x86_64 |
| RHEL | 6, 7, 8 | x86_64 |
| Fedora | 29+ | x86_64 |
| Ubuntu | 16.04+ | x86_64 |
| Windows | 8+ | x86_64 |
| Windows | 2012+ | x86_64 |
@ -384,11 +381,10 @@ As a reminder, all participants are expected to follow the [Code of Conduct](htt
## Testing Chef InSpec
We offer `unit`, `integration`, and `aws` tests.
We offer `unit` and `integration` tests.
- `unit` tests ensure the intended behaviour of the implementation
- `integration` tests run against Docker-based VMs via test-kitchen and [kitchen-inspec](https://github.com/chef/kitchen-inspec)
- `aws` tests exercise the AWS resources against real AWS accounts
### Unit tests

2
VERSION
View file

@ -1 +1 @@
4.38.7
5.1.3

2
dev-docs/compliance.md
View file

@ -55,7 +55,7 @@ Actual HTTP communication is handled by `InspecPlugins::Compliance::HTTP`, again
#### lib/http.rb
This is probably unneccesary. It is a wrapper around Net:HTTP. Instead, we should probably be using a REST API wrapper or something similar.
This is probably unnecessary. It is a wrapper around Net:HTTP. Instead, we should probably be using a REST API wrapper or something similar.
#### lib/support.rb

4
dev-docs/filtertable-usage.md
View file

@ -40,7 +40,7 @@ class Thing < Inspec.resource(1)
filter_table_config.install_filter_methods_on_resource(self, :fetch_data)
def fetch_data
# This method should return an array of hashes - the raw data. We'll hardcode it here.
# This method should return an array of hashes - the raw data. We'll hard code it here.
[
{ thing_id: 1, color: :red },
{ thing_id: 2, color: :blue, tackiness: 'very' },
@ -301,7 +301,7 @@ This method behaves just like `thing_ids`, except that it returns the values of
You also get this for `thing_ids`. This is unrelated to `style: :simple` for `colors`.
People definitely use this in the wild. It reads badly to me; I think this is a legacy usage that we should consider deprecating. To me, this seems to imply that there is a sub-resource (here, colors) we are auditing. At least two core resouces (`xinetd_conf` and `users`) advocate this as their primary use.
People definitely use this in the wild. It reads badly to me; I think this is a legacy usage that we should consider deprecating. To me, this seems to imply that there is a sub-resource (here, colors) we are auditing. At least two core resources (`xinetd_conf` and `users`) advocate this as their primary use.
```ruby
# Filter on colors

5
dev-docs/inspec-init-plugin.md
View file

@ -45,10 +45,13 @@ Generates an InSpec plugin, which can extend the functionality of InSpec itself.
`--detail` This option can be used to skip generation of test files or gemspec file. Available values `full`, `core` or `test-fixture`.
`--activator` Available activator type are `cli_command` and `reporter`. The default activator type is "cli_command".
`--activator` Available activator type are `cli_command`, `reporter` and `streaming_reporter`. The default activator type is "cli_command".
Usage: `inspec init pluign <inspec-plugin-name> --activator "cli_command:my_test"`
`OR`
`inspec init plugin <inspec-plugin-reporter-name> --activator "reporter:my_reporter"`
`OR`
`inspec init plugin <inspec-plugin-streaming-reporter-name> --activator "streaming_reporter:my_streaming_reporter"`
**Note:** The InSpec plugin generator can currently only generate one activator of each type.

66
dev-docs/plugins.md
View file

@ -488,6 +488,72 @@ v0.1.0 - Initial version
v0.2.0 - added `run_data.profiles[0].inputs[0].options.sensitive`
v0.3.0 - added resource_name && params
## Implementing Streaming Reporter Plugins
Streaming Reporter plugins offer the opportunity to customize or create a plugin which operates real-time as the Chef Inspec tests runs. Streaming reporters perform streaming using RSpec custom formatters.
### Declare your plugin activators
In your `plugin.rb`, include one or more `streaming_reporter` activation blocks. The activation block name will be matched against the value passed into the `--reporter` option. If a match occurs, your activator will fire, which loads any needed libraries, and return your implementation class.
#### Streaming Reporter Activator Example
```ruby
# In plugin.rb
module InspecPlugins::Sweeten
class Plugin < Inspec.plugin(2)
# ... other plugin stuff
streaming_reporter :streaming_sweet do
require_relative 'streaming_reporter.rb'
InspecPlugins::Sweeten::StreamingReporter
end
end
end
```
Like any activator, the block above will only be called if needed. For Streaming Reporter plugins, the plugin system examines the `--reporter` argument, or the `reporter:` JSON config option, and looks for the activation name as a prefix. Multiple Reporter activations may occur if several different names match, though each activation will only occur once.
```bash
you@machine $ inspec exec --reporter streaming_sweet # Your Reporter implementation is activated and executed
you@machine $ inspec exec --reporter json # Your Reporter implementation is not activated
```
### Implementation class for Streaming Reporters
In your `streaming_reporter.rb`, you should begin by requesting the superclass from `Inspec.plugin`:
```ruby
module InspecPlugins::Sweeten
class StreamingReporter < Inspec.plugin(2, :streaming_reporter)
RSpec::Core::Formatters.register self, :example_passed, :example_failed, :example_pending
def initialize output
@output = output
end
def example_passed notification # ExampleNotification
# some logic to run on passing test
end
def example_failed notification # FailedExampleNotification
# some logic to run on failing test
end
def example_pending notification # ExampleNotification
# some logic to run on pending test
end
end
end
```
### Implementing your Streaming Reporter
A streaming reporter is a custom RSpec formatter which is used as an InSpec plugin. And it can be used for performing operations real-time using RSpec formatter methods like `example_passed`, `example_failed` and `example_pending`. Being an RSpec formatter, the method needs to be registered with `RSpec::Core::Formatters`.
This tutorial on [How to write RSpec formatters from Scratch](https://ieftimov.com/post/how-to-write-rspec-formatters-from-scratch/) will come handy.
## Implementing Input Plugins
Input plugins provide values for Chef InSpec Inputs - the parameters you can place within profile control code.

2
docs-chef-io/Makefile
View file

@ -14,7 +14,7 @@ serve: chef_web_docs
chef_web_docs:
if [ -d "chef-web-docs/" ]; then \
pushd chef-web-docs && git reset HEAD --hard; git clean -fd; git pull --ff-only origin master; rm -rf public && popd; \
pushd chef-web-docs && git reset HEAD --hard; git clean -fd; git pull --ff-only origin main; rm -rf public && popd; \
else \
git clone https://github.com/chef/chef-web-docs.git; \
fi

2
docs-chef-io/README.md
View file

@ -20,7 +20,7 @@ the top of the page that you want to edit. The link takes you to that topic's Gi
page. In GitHub, click on the pencil icon and make your changes. You can preview
how they'll look right on the page ("Preview Changes" tab).
We also require contributors to include their [DCO signoff](https://github.com/chef/chef/blob/master/CONTRIBUTING.md#developer-certification-of-origin-dco)
We also require contributors to include their [DCO signoff](https://github.com/chef/chef/blob/main/CONTRIBUTING.md#developer-certification-of-origin-dco)
in the comment section of every pull request, except for obvious fixes. You can
add your DCO signoff to the comments by including `Signed-off-by:`, followed by
your name and email address, like this:

2
docs-chef-io/config.toml
View file

@ -1,2 +1,2 @@
[params.inspec]
gh_path = "https://github.com/inspec/inspec/tree/master/docs-chef-io/content/"
gh_path = "https://github.com/inspec/inspec/tree/main/docs-chef-io/content/"

11
docs-chef-io/content/inspec/_index.md
View file

@ -16,13 +16,6 @@ gh_repo = "inspec"
Chef InSpec is an open-source framework for testing and auditing your applications and infrastructure. Chef InSpec works by comparing the actual state of your system with the desired state that you express in easy-to-read and easy-to-write Chef InSpec code. Chef InSpec detects violations and displays findings in the form of a report, but puts you in control of remediation.
{{< note >}}
Versions of Chef InSpec 4.0 and later require accepting the EULA. Please
visit the [license acceptance page](/chef_license_accept/) for more information.
{{< /note >}}
## Getting started with Chef InSpec
Below are some of the core concepts that make up Chef InSpec.
@ -40,7 +33,7 @@ including tests from the [Chef Supermarket](https://supermarket.chef.io/)
or by adding tests from the [Dev-Sec Project](http://dev-sec.io/) as dependencies.
You can also customize your tests--pulling in the tests from our Supermarket and
change them to suit your unique needs with the easy-to-read and easy-to-write Chef
InSpec domain specific language.
InSpec language.
### Target your system
@ -52,6 +45,6 @@ InSpec to target applications and services running on AWS and Azure.
### Resources
Chef InSpec has 80+ [resources](/inspec/resources/) ready use--apache to zfs pool.
Chef InSpec nearly 500 [resources](/inspec/resources/) ready use--Apache2 to ZFS pool.
If you need a solution that we havent provided, you can write your own [custom
resource](/inspec/dsl_resource/).

251
docs-chef-io/content/inspec/cli.md
View file

@ -15,7 +15,7 @@ Use the InSpec CLI to run tests and audits against targets using local, SSH, Win
## archive
Archive a profile to tar.gz (default) or zip
Archive a profile to tar.gz (default) or zip.
### Syntax
@ -27,14 +27,14 @@ inspec archive PATH
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--airgap``, ``--no-airgap``
Fallback to using local archives if fetching fails.
* ``--ignore-errors``, ``--no-ignore-errors``
Ignore profile warnings.
* ``-o``, ``--output=OUTPUT``
Save the archive to a path
Save the archive to a path.
* ``--overwrite``, ``--no-overwrite``
Overwrite existing archive.
* ``--profiles-path=PROFILES_PATH``
@ -42,14 +42,25 @@ This subcommand has additional options:
* ``--tar``, ``--no-tar``
Generates a tar.gz archive.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache)
Use the given path for caching dependencies, (default: `~/.inspec/cache`).
* ``--zip``, ``--no-zip``
Generates a zip archive.
## automate
Communicate with Chef Automate.
### Syntax
This subcommand has the following syntax:
```bash
inspec automate SUBCOMMAND
```
## check
Verify metadata in inspec.yml. Verify control data has fields (title, description,
impact) defined and that all controls have visible tests.
Verify the metadata in the inspec.yml file, verify that control blocks have the correct fields (title, description, impact) defined, that all controls have visible tests, and that controls are not using deprecated InSpec DSL code.
### Syntax
@ -61,18 +72,18 @@ inspec check PATH
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--format=FORMAT``
The output format to use. Valid values: `json` and `doc`. Default value: `doc`.
* ``--profiles-path=PROFILES_PATH``
Folder which contains referenced profiles.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache)
Use the given path for caching dependencies, (default: `~/.inspec/cache`).
## detect
Detect the target os
Detect the target OS.
### Syntax
@ -84,16 +95,24 @@ inspec detect
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``-b``, ``--backend=BACKEND``
Choose a backend: local, ssh, winrm, docker.
* ``--bastion-host=BASTION_HOST``
Specifies the bastion host if applicable
Specifies the bastion host if applicable.
* ``--bastion-port=BASTION_PORT``
Specifies the bastion port if applicable
Specifies the bastion port if applicable.
* ``--bastion-user=BASTION_USER``
Specifies the bastion user if applicable
Specifies the bastion user if applicable.
* ``--ca-trust-file=PATH_TO_CA_TRUST_FILE``
Specify CA certificate required for SSL authentication (WinRM).
* ``--client-cert=PATH_TO_CLIENT_CERTIFICATE``
Specify client certificate required for SSL authentication (WinRM).
* ``--client-key=PATH_TO_CLIENT_KEY``
Specify client key required with client certificate for SSL authentication (WinRM).
* ``--client-key-pass=CLIENT_CERT_PASSWORD``
Specify client certificate password, if required for SSL authentication (WinRM).
* ``--config=CONFIG``
Read configuration from JSON file (`-` reads from stdin).
* ``--docker-url``
@ -105,7 +124,7 @@ This subcommand has additional options:
* ``--host=HOST``
Specify a remote host which is tested.
* ``--insecure``, ``--no-insecure``
Disable SSL verification on select targets
Disable SSL verification on select targets.
* ``-i``, ``--key-files=one two three``
Login key or certificate file for a remote scan.
* ``--password=PASSWORD``
@ -115,7 +134,7 @@ This subcommand has additional options:
* ``-p``, ``--port=N``
Specify the login port for a remote scan.
* ``--proxy-command=PROXY_COMMAND``
Specifies the command to use to connect to the server
Specifies the command to use to connect to the server.
* ``--self-signed``, ``--no-self-signed``
Allow remote scans with self-signed certificates (WinRM).
* ``--shell``, ``--no-shell``
@ -126,6 +145,8 @@ This subcommand has additional options:
Additional shell options.
* ``--ssl``, ``--no-ssl``
Use SSL for transport layer encryption (WinRM).
* ``--ssl-peer-fingerprint``
Specify ssl peer fingerprint in lieu of certificates, for SSL authentication (WinRM).
* ``--sudo``, ``--no-sudo``
Run scans with sudo. Only activates on Unix and non-root user.
* ``--sudo-command=SUDO_COMMAND``
@ -135,9 +156,9 @@ This subcommand has additional options:
* ``--sudo-password=SUDO_PASSWORD``
Specify a sudo password, if it is required.
* ``-t``, ``--target=TARGET``
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
Simple targeting option using URIs, e.g. ssh://user:pass@host:port.
* ``--target-id=TARGET_ID``
Provide a ID which will be included on reports
Provide a ID which will be included on reports.
* ``--user=USER``
The login user for a remote scan.
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
@ -151,7 +172,7 @@ This subcommand has additional options:
## env
Output shell-appropriate completion configuration
Output shell-appropriate completion configuration.
### Syntax
@ -165,11 +186,9 @@ inspec env
Run all test files at the specified locations.
The subcommand loads the given profiles, fetches their dependencies if needed, then
connects to the target and executes any controls contained in the profiles.
One or more reporters are used to generate the output.
The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls contained in the profiles. One or more reporters are used to generate the output.
```
```ruby
exit codes:
0 normal exit, all tests passed
1 usage or general error
@ -183,65 +202,75 @@ exit codes:
Below are some examples of using `exec` with different test locations:
Chef Automate:
```
```ruby
inspec automate login
inspec exec compliance://username/linux-baseline
```
`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way:
```
```ruby
inspec compliance login
```
Chef Supermarket:
```
```ruby
inspec exec supermarket://username/linux-baseline
inspec exec supermarket://username/linux-baseline --supermarket_url="https://privatesupermarket.example.com"
```
Local profile (executes all tests in `controls/`):
```
```ruby
inspec exec /path/to/profile
```
Local single test (doesn't allow inputs or custom resources):
```
```ruby
inspec exec /path/to/a_test.rb
```
Git via SSH:
```
```ruby
inspec exec git@github.com:dev-sec/linux-baseline.git
```
Git via HTTPS (.git suffix is required):
```
```ruby
inspec exec https://github.com/dev-sec/linux-baseline.git
```
Private Git via HTTPS (.git suffix is required):
```
```ruby
inspec exec https://api_token@github.com/dev-sec/linux-baseline.git
```
Private Git via HTTPS and cached credentials (.git suffix is required):
```
```bash
git config credential.helper cache
git ls-remote https://github.com/dev-sec/linux-baseline.git
inspec exec https://github.com/dev-sec/linux-baseline.git
```
Web-hosted file (also supports .zip):
```
```bash
inspec exec https://webserver/linux-baseline.tar.gz
```
Web-hosted file with basic authentication (supports .zip):
```
```bash
inspec exec https://username:password@webserver/linux-baseline.tar.gz
```
### Syntax
This subcommand has the following syntax:
@ -252,20 +281,28 @@ inspec exec LOCATIONS
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--attrs=one two three``
Legacy name for --input-file - deprecated.
* ``-b``, ``--backend=BACKEND``
Choose a backend: local, ssh, winrm, docker.
* ``--backend-cache``, ``--no-backend-cache``
Allow caching for backend command output. (default: true)
Allow caching for backend command output. (default: true).
* ``--bastion-host=BASTION_HOST``
Specifies the bastion host if applicable
Specifies the bastion host if applicable.
* ``--bastion-port=BASTION_PORT``
Specifies the bastion port if applicable
Specifies the bastion port if applicable.
* ``--bastion-user=BASTION_USER``
Specifies the bastion user if applicable
Specifies the bastion user if applicable.
* ``--ca-trust-file=PATH_TO_CA_TRUST_FILE``
Specify CA certificate required for SSL authentication (WinRM).
* ``--client-cert=PATH_TO_CLIENT_CERTIFICATE``
Specify client certificate required for SSL authentication (WinRM).
* ``--client-key=PATH_TO_CLIENT_KEY``
Specify client key required with client certificate for SSL authentication (WinRM).
* ``--client-key-pass=CLIENT_CERT_PASSWORD``
Specify client certificate password, if required for SSL authentication (WinRM).
* ``--command-timeout=SECONDS``
Maximum seconds to allow a command to run.
* ``--config=CONFIG``
@ -273,7 +310,7 @@ This subcommand has additional options:
* ``--controls=one two three``
A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests.
* ``--create-lockfile``, ``--no-create-lockfile``
Write out a lockfile based on this execution (unless one already exists)
Write out a lockfile based on this execution (unless one already exists).
* ``--distinct-exit``, ``--no-distinct-exit``
Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures.
* ``--docker-url``
@ -282,14 +319,16 @@ This subcommand has additional options:
Password for enable mode on Cisco IOS devices.
* ``--filter-empty-profiles``, ``--no-filter-empty-profiles``
Filter empty profiles (profiles without controls) from the report.
* ``--filter-waived-controls``
Do not execute waived controls in InSpec at all. Must use with --waiver-file. Ignores `run` setting of waiver file.
* ``--host=HOST``
Specify a remote host which is tested.
* ``--input=name1=value1 name2=value2``
Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures.
* ``--input-file=one two three``
Load one or more input files, a YAML file with values for the profile to use
Load one or more input files, a YAML file with values for the profile to use.
* ``--insecure``, ``--no-insecure``
Disable SSL verification on select targets
Disable SSL verification on select targets.
* ``-i``, ``--key-files=one two three``
Login key or certificate file for a remote scan.
* ``--password=PASSWORD``
@ -301,15 +340,15 @@ This subcommand has additional options:
* ``--profiles-path=PROFILES_PATH``
Folder which contains referenced profiles.
* ``--proxy-command=PROXY_COMMAND``
Specifies the command to use to connect to the server
Specifies the command to use to connect to the server.
* ``--reporter=one two:/output/file/path``
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml.
* ``--reporter-backtrace-inclusion``, ``--no-reporter-backtrace-inclusion``
Include a code backtrace in report data (default: true)
Include a code backtrace in report data (default: true).
* ``--reporter-include-source``
Include full source code of controls in the CLI report
Include full source code of controls in the CLI report.
* ``--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION``
Number of characters to truncate failure messages in report data to (default: no truncation)
Number of characters to truncate failure messages in report data to (default: no truncation).
* ``--self-signed``, ``--no-self-signed``
Allow remote scans with self-signed certificates (WinRM).
* ``--shell``, ``--no-shell``
@ -322,8 +361,12 @@ This subcommand has additional options:
Show progress while executing tests.
* ``--silence-deprecations=all|GROUP GROUP...``
Suppress deprecation warnings. See install_dir/etc/deprecations.json for list of GROUPs or use 'all'.
* ``--ssh-config-file=one two three``
A list of paths to the SSH configuration file, for example: `~/.ssh/config` or `/etc/ssh/ssh_config`.
* ``--ssl``, ``--no-ssl``
Use SSL for transport layer encryption (WinRM).
* ``--ssl-peer-fingerprint``
Specify ssl peer fingerprint in lieu of certificates, for SSL authentication (WinRM).
* ``--sudo``, ``--no-sudo``
Run scans with sudo. Only activates on Unix and non-root user.
* ``--sudo-command=SUDO_COMMAND``
@ -333,13 +376,15 @@ This subcommand has additional options:
* ``--sudo-password=SUDO_PASSWORD``
Specify a sudo password, if it is required.
* ``-t``, ``--target=TARGET``
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
Simple targeting option using URIs, e.g. ssh://user:pass@host:port.
* ``--target-id=TARGET_ID``
Provide a ID which will be included on reports
Provide a ID which will be included on reports.
* ``--tags=one two three``
A list of tags or a list of regular expressions that match tags. `exec` will run controls referenced by the listed or matching tags.
* ``--user=USER``
The login user for a remote scan.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache)
Use the given path for caching dependencies. (default: `~/.inspec/cache`).
* ``--waiver-file=one two three``
Load one or more waiver files.
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
@ -349,9 +394,21 @@ This subcommand has additional options:
* ``--winrm-transport=WINRM_TRANSPORT``
Specify which transport to use, defaults to negotiate (WinRM).
## habitat
Create a Chef Habitat package.
### Syntax
This subcommand has the following syntax:
```bash
inspec habitat SUBCOMMAND
```
## help
Describe available commands or one specific command
Describe available commands or one specific command.
### Syntax
@ -361,9 +418,21 @@ This subcommand has the following syntax:
inspec help [COMMAND]
```
## init
Scaffold a new project.
### Syntax
This subcommand has the following syntax:
```bash
inspec init TEMPLATE
```
## json
Read all tests in path and generate a json summary
Read all tests in path and generate a json summary.
### Syntax
@ -375,20 +444,22 @@ inspec json PATH
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--controls=one two three``
A list of controls to include. Ignore all other tests.
* ``-o``, ``--output=OUTPUT``
Save the created profile to a path
Save the created profile to a path.
* ``--profiles-path=PROFILES_PATH``
Folder which contains referenced profiles.
* ``--tags=one two three``
A list of tags that reference certain controls. Other controls are ignored.
* ``--vendor-cache=VENDOR_CACHE``
Use the given path for caching dependencies. (default: ~/.inspec/cache)
Use the given path for caching dependencies. (default: `~/.inspec/cache`).
## nothing
Does nothing
Does nothing.
### Syntax
@ -398,9 +469,21 @@ This subcommand has the following syntax:
inspec nothing
```
## plugin
Install and manage [Chef InSpec plugins](/inspec/plugins/).
### Syntax
This subcommand has the following syntax:
```bash
inspec plugin SUBCOMMAND
```
## schema
Print the json schema
Print the json schema.
### Syntax
@ -412,7 +495,7 @@ inspec schema NAME
## shell
Open an interactive debugging shell
Open an interactive debugging shell.
### Syntax
@ -424,24 +507,32 @@ inspec shell
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``-b``, ``--backend=BACKEND``
Choose a backend: local, ssh, winrm, docker.
* ``--bastion-host=BASTION_HOST``
Specifies the bastion host if applicable
Specifies the bastion host if applicable.
* ``--bastion-port=BASTION_PORT``
Specifies the bastion port if applicable
Specifies the bastion port if applicable.
* ``--bastion-user=BASTION_USER``
Specifies the bastion user if applicable
Specifies the bastion user if applicable.
* ``-c``, ``--command=COMMAND``
A single command string to run instead of launching the shell
A single command string to run instead of launching the shell.
* ``--command-timeout=SECONDS``
Maximum seconds to allow a command to run.
* ``--ca-trust-file=PATH_TO_CA_TRUST_FILE``
Specify CA certificate required for SSL authentication (WinRM).
* ``--client-cert=PATH_TO_CLIENT_CERTIFICATE``
Specify client certificate required for SSL authentication (WinRM).
* ``--client-key=PATH_TO_CLIENT_KEY``
Specify client key required with client certificate for SSL authentication (WinRM).
* ``--client-key-pass=CLIENT_CERT_PASSWORD``
Specify client certificate password, if required for SSL authentication (WinRM).
* ``--config=CONFIG``
Read configuration from JSON file (`-` reads from stdin).
* ``--depends=one two three``
A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell
A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell.
* ``--distinct-exit``, ``--no-distinct-exit``
Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures.
* ``--docker-url``
@ -451,7 +542,7 @@ This subcommand has additional options:
* ``--host=HOST``
Specify a remote host which is tested.
* ``--insecure``, ``--no-insecure``
Disable SSL verification on select targets
Disable SSL verification on select targets.
* ``--inspect``, ``--no-inspect``
Use verbose/debugging output for resources.
* ``-i``, ``--key-files=one two three``
@ -463,9 +554,9 @@ This subcommand has additional options:
* ``-p``, ``--port=N``
Specify the login port for a remote scan.
* ``--proxy-command=PROXY_COMMAND``
Specifies the command to use to connect to the server
Specifies the command to use to connect to the server.
* ``--reporter=one two:/output/file/path``
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit
Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit.
* ``--self-signed``, ``--no-self-signed``
Allow remote scans with self-signed certificates (WinRM).
* ``--shell``, ``--no-shell``
@ -474,8 +565,12 @@ This subcommand has additional options:
Specify a particular shell to use.
* ``--shell-options=SHELL_OPTIONS``
Additional shell options.
* ``--ssh-config-file=one two three``
A list of paths to the SSH configuration file, for example: `~/.ssh/config` or `/etc/ssh/ssh_config`.
* ``--ssl``, ``--no-ssl``
Use SSL for transport layer encryption (WinRM).
* ``--ssl-peer-fingerprint=SSL_PEER_FINGERPRINT``
Specify ssl peer fingerprint in lieu of certificates, for SSL authentication (WinRM).
* ``--sudo``, ``--no-sudo``
Run scans with sudo. Only activates on Unix and non-root user.
* ``--sudo-command=SUDO_COMMAND``
@ -485,9 +580,9 @@ This subcommand has additional options:
* ``--sudo-password=SUDO_PASSWORD``
Specify a sudo password, if it is required.
* ``-t``, ``--target=TARGET``
Simple targeting option using URIs, e.g. ssh://user:pass@host:port
Simple targeting option using URIs, e.g. ssh://user:pass@host:port.
* ``--target-id=TARGET_ID``
Provide a ID which will be included on reports
Provide a ID which will be included on reports.
* ``--user=USER``
The login user for a remote scan.
* ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only``
@ -499,7 +594,7 @@ This subcommand has additional options:
## supermarket
Supermarket commands
Supermarket commands.
### Syntax
@ -509,9 +604,17 @@ This subcommand has the following syntax:
inspec supermarket SUBCOMMAND ...
```
### Options
This subcommand has additional options:
* ``--supermarket_url``
Specify the URL of a private Chef Supermarket.
## vendor
Download all dependencies and generate a lockfile in a `vendor` directory
Download all dependencies and generate a lockfile in a `vendor` directory.
### Syntax
@ -530,7 +633,7 @@ This subcommand has additional options:
## version
Prints the version of this tool
Prints the version of this tool.
### Syntax
@ -542,6 +645,6 @@ inspec version
### Options
This subcommand has additional options:
This subcommand has the following additional options:
* ``--format=FORMAT``

2
docs-chef-io/content/inspec/config.md
View file

@ -104,7 +104,7 @@ Version 1.2 adds a top-level field, "plugins".
Use the `plugins` top-level configuration field to provide configuration settings to plugins that you use with Chef InSpec. Refer to the documentation of the plugin you are using for details regarding what settings are available.
To use this new feature, add a new top-level key in your config file named `plugins`. Then create a sub-key named for each plugin you wish to configure. Each plugin will have a key-value are that it may use as it sees fit - Chef Inspec does not specify the structure. Here is an example, using contrived plugins:
To use this new feature, add a new top-level key in your config file named `plugins`. Then create a sub-key named for each plugin you wish to configure. Each plugin will have a key-value are that it may use as it sees fit - Chef InSpec does not specify the structure. Here is an example, using contrived plugins:
```
{

14
docs-chef-io/content/inspec/dsl_inspec.md
View file

@ -1,12 +1,12 @@
+++
title = "Chef InSpec DSL"
title = "Chef InSpec Language"
draft = false
gh_repo = "inspec"
[menu]
[menu.inspec]
title = "Chef InSpec DSL"
identifier = "inspec/reference/dsl_inspec.md Chef InSpec DSL"
title = "Chef InSpec Language"
identifier = "inspec/reference/dsl_inspec.md Chef InSpec Language"
parent = "inspec/reference"
weight = 70
+++
@ -15,9 +15,9 @@ Chef InSpec is a run-time framework and rule language used to specify compliance
security, and policy requirements. It includes a collection of resources that help
you write auditing controls quickly and easily. The syntax used by both open source
and [Chef compliance](/compliance/) auditing is the same. The open source [Chef InSpec resource](/inspec/resources/)
framework is compatible with [Chef compliance](/compliance/).
framework is compatible with [Chef compliance](https://docs.chef.io/chef_compliance_phase/).
The Chef InSpec DSL is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
The Chef InSpec Language is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke.
The following sections describe the syntax and show some simple examples of using the Chef InSpec resources.
@ -62,7 +62,7 @@ where
* `0.4 to <0.7` these are controls with medium impact
* `0.7 to <0.9` these are controls with high impact
* `0.9 to 1.0` these are critical controls
* `tag` is optional meta-information with with key or key-value pairs
* `tag` is optional meta-information with key or key-value pairs
* `ref` is a reference to an external document
* `describe` is a block that contains at least one test. A `control` block must contain at least one `describe` block, but may contain as many as required
* `sshd_config` is a Chef InSpec resource. For the full list of Chef InSpec resources, see Chef InSpec resource documentation
@ -336,7 +336,7 @@ end
## Using Ruby in InSpec
The Chef InSpec DSL is a Ruby based language. This allows you to be flexible with
The Chef InSpec Language is a Ruby based language. This allows you to be flexible with
Ruby code in controls:
```ruby

4
docs-chef-io/content/inspec/dsl_resource.md
View file

@ -52,7 +52,7 @@ The following attributes can be configured:
The following methods are available to the resource:
- inspec - Contains a registry of all other resources to interact with the operating system or target in general.
- skip\_resource - A resource may call this method to indicate that requirements aren't met. All tests that use this resource will be marked as skipped.
- skip_resource - A resource may call this method to indicate that requirements aren't met. All tests that use this resource will be marked as skipped.
The following example shows a full resource using attributes and methods
to provide simple access to a configuration file:
@ -104,7 +104,7 @@ class ExampleConfig < Inspec.resource(1)
end
```
For a full example, see our [example resource](https://github.com/chef/inspec/blob/master/examples/profile/libraries/example_config.rb).
For a full example, see our [example resource](https://github.com/chef/inspec/blob/main/examples/profile/libraries/example_config.rb).
## Lazy Loading

20
docs-chef-io/content/inspec/glossary.md
View file

@ -74,11 +74,11 @@ _should\_not_ indicates this is a negated test. So, this test passes if the matc
### Plural Resource Example
```ruby
describe cars.where(color: /^b/) do
it { should exist }
its('manufacturers') { should include 'Cadillac' }
its('count') { should be >= 10 }
end
describe cars.where(color: /^b/) do
it { should exist }
its('manufacturers') { should include 'Cadillac' }
its('count') { should be >= 10 }
end
```
#### describe _cars_.where(color: /^b/) do
@ -152,9 +152,9 @@ end
### DSL
_DSL_ is an acronym for _Domain Specific Language_. It refers to the language extensions Chef InSpec provides to make authoring resources and controls easier. While Chef InSpec control files are use Ruby, the _Control DSL_ makes it easy to write controls without knowledge of Ruby by providing DSL keywords such as [describe](#describe), [control](#control), [it](#it) and [its](#its). See the [Chef InSpec DSL page](/inspec/dsl_inspec/) for details about keywords available to control authors.
_DSL_ is an acronym for _Domain Specific Language_. It refers to the language extensions Chef InSpec provides to make authoring resources and controls easier. While Chef InSpec control files are use Ruby, the _Control DSL_ makes it easy to write controls without knowledge of Ruby by providing DSL keywords such as [describe](#describe), [control](#control), [it](#it) and [its](#its). See the [Chef InSpec Language page](/inspec/dsl_inspec/) for details about keywords available to control authors.
For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource DSL page](/inspec/dsl_resource/).
For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource Language page](/inspec/dsl_resource/).
### Expected Result
@ -280,9 +280,9 @@ An operator matcher allows you to use operators to compare numerical [expected r
For example:
```ruby
describe cars do
its('count') { should be >= 10 }
end
describe cars do
its('count') { should be >= 10 }
end
```
Operators include:

12
docs-chef-io/content/inspec/habitat.md
View file

@ -51,7 +51,7 @@ HAB_INSPEC_PROFILE_FRONTEND1="interval = 60" hab start effortless/audit-baseline
The Chef Habitat Supervisor will display output like this:
```text
```bash
hab start effortless/audit-baseline
∵ Missing package for core/hab-sup/0.17.0
» Installing core/hab-sup/0.17.0
@ -85,7 +85,7 @@ The above sample output shows the supervisor starting, downloading the necessary
Chef InSpec will write a JSON file in the `${svc_var_path}/inspec_results` directory containing the results of the last Chef InSpec run. For example, for the `effortless/audit-baseline` package, the Chef InSpec results will be at:
```text
```
/hab/svc/inspec-profile-frontend1/var/inspec_results/inspec-profile-frontend1.json
```
@ -103,13 +103,13 @@ distributed to a host and installed via `hab pkg install`.
The package file will be named:
```text
```
HABITAT_ORIGIN-inspec-profile-PROFILE_NAME-PROFILE_VERSION-BUILD_ID-x86_64-linux.hart
```
For example:
```text
```
adamleff-inspec-profile-frontend1-0.1.0-20170328173005-x86_64-linux.hart
```
@ -127,7 +127,7 @@ inspec habitat profile create ~/profiles/frontend1
#### Example Output
```text
```bash
$ habitat profile create ~/profiles/frontend1
[2017-03-28T13:29:32-04:00] INFO: Creating a Habitat artifact for profile: /Users/aleff/profiles/frontend1
[2017-03-28T13:29:32-04:00] INFO: Checking to see if Habitat is installed...
@ -206,7 +206,7 @@ inspec habitat profile upload ~/profiles/frontend1
#### Example Output
```text
```bash
[2017-03-28T13:29:32-04:00] INFO: Creating a Habitat artifact for profile: /Users/aleff/profiles/frontend1
[2017-03-28T13:29:32-04:00] INFO: Checking to see if Habitat is installed...
[2017-03-28T13:29:32-04:00] INFO: Copying profile contents to the work directory...

6
docs-chef-io/content/inspec/inputs.md
View file

@ -47,7 +47,7 @@ end
When the above profile is executed by using `inspec exec rock_critic`, you would see something like:
```
```bash
× Big Rock Show: 10
× 10 is expected to cmp == 11
@ -62,7 +62,7 @@ That result clearly won't do. Let's override the input's default value.
We can now run that profile with `inspec exec rock_critic --input amplifier_max_volume=11`:
```
```bash
✔ Big Rock Show: 11
✔ 11 is expected to cmp == 11
@ -132,6 +132,7 @@ inputs:
```
To set a priority in DSL, use:
```ruby
input('also_important', value: 42, priority: 45)
```
@ -250,7 +251,6 @@ code to find the inputs.
When your profile relies on another profile using the `depends` key in the metadata file, you can set — that is, override — the value of the input in the dependent profile by including the `profile` option and naming the dependent profile.
```yaml
# child inspec.yml
name: child

8
docs-chef-io/content/inspec/inspec_and_friends.md
View file

@ -89,7 +89,7 @@ Lessons learned from Serverspec include:
- A command line interface (CLI) is required for faster iteration of test code.
You can also watch this [podcast](http://foodfightshow.org/2016/02/inspec.html)
to find out more on the relationship of Chef InSpec and Serverspec.
to find out more on the relationship between Chef InSpec and Serverspec.
### How is Chef InSpec different from Serverspec
@ -125,12 +125,12 @@ fork was not practical so a new project was born.
**Will Chef InSpec only work on machines managed by Chef?**
No, Chef InSpec can be used on any machine. It doesnt matter if that machine
was configured by Chef or configured lovingly by the hands of your local
No, Chef InSpec can be used on any machine. It does not matter if that machine
was configured by Chef Infra or configured lovingly by the hands of your local
System Administrator.
**Is Chef InSpec a replacement of Serverspec?**
Chef InSpec is intended to be a drop-in replacement of Serverspec. Popular
Serverspec resources have been ported to InSpec. It changed some
behaviour as documented in our migration guide.
behavior as documented in our migration guide.

28
docs-chef-io/content/inspec/install.md
View file

@ -16,7 +16,7 @@ Users can choose between operating systems of MacOS, Windows, and Linux for Chef
## Install Chef InSpec
You can download the latest Chef InSpec package relevant to your operating system
at [our Downloads Page](https://downloads.chef.io/inspec).
at [our Downloads Page](https://www.chef.io/downloads/tools/inspec).
Alternatively, Chef InSpec can be installed via installer, script, or package
manager, according to your operating system and method as listed below.
@ -28,7 +28,7 @@ manager, according to your operating system and method as listed below.
Chef InSpec is available as a standalone [Homebrew](https://brew.sh/) package.
Run the following command in your terminal to install Chef InSpec:
```
```bash
brew install chef/chef/inspec
```
@ -39,7 +39,7 @@ password for installation to complete.
You can download Chef InSpec via curl script:
```
```bash
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
```
@ -47,7 +47,7 @@ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
#### Installer
Once you downloaded the latest [Chef InSpec package](https://downloads.chef.io/inspec)
Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads/tools/inspec)
relevant to your Microsoft version, double-click the `.msi` file to launch the
installer and follow the prompts.
@ -68,31 +68,31 @@ was successful.
The following curl script will install Chef InSpec for Ubuntu and Red Hat Enterprise Linux:
```
```bash
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
```
If you prefer, you can use a package manager to install Chef InSpec.
Once you downloaded the latest [Chef InSpec package](https://downloads.chef.io/inspec)
Once you downloaded the latest [Chef InSpec package](https://www.chef.io/downloads/tools/inspec)
relevant to your Linux-based platform, use the command for the respective package
manager listed below. Replace the example file path with the file path leading to
your downloaded package.
For Ubuntu, use the following command to install Chef InSpec:
```
```bash
sudo dpkg -i /path/to/inspec.deb
```
For Red Hat Enterprise Linux, use the following command to install Chef InSpec:
```
```bash
sudo rpm -U /path-to/inspec.rpm
```
For SUSE Linux Enterprise Server, use the following command to install Chef InSpec:
```
```bash
sudo zypper install /path-to/inspec.rpm
```
@ -108,7 +108,7 @@ method of Chef InSpec installation.
Use the following *destructive* command to remove the Chef InSpec standalone Homebrew package:
```
```bash
brew cask uninstall inspec
```
@ -116,7 +116,7 @@ brew cask uninstall inspec
Use the following *destructive* command in your terminal to remove the Chef InSpec package:
```
```bash
sudo rm -rf /opt/inspec
```
@ -135,18 +135,18 @@ for their package manager are listed below.
For Ubuntu, use the following *destructive* command to uninstall:
```
```bash
sudo dpkg -P inspec
```
For Red Hat Enterprise Linux, use the following *destructive* command to uninstall:
```
```bash
sudo rpm -e inspec
```
For SUSE Linux Enterprise Server, use the following *destructive* command to uninstall Chef InSpec:
```
```bash
sudo zypper remove inspec
```

12
docs-chef-io/content/inspec/matchers.md
View file

@ -60,7 +60,7 @@ end
`cmp` behaves in the following way:
* Compare strings to numbers
- Compare strings to numbers
```ruby
describe sshd_config do
@ -73,7 +73,7 @@ describe sshd_config do
end
```
* String comparisons are not case-sensitive
- String comparisons are not case-sensitive
```ruby
describe auditd_conf do
@ -82,7 +82,7 @@ describe auditd_conf do
end
```
* Recognize versions embedded in strings
- Recognize versions embedded in strings
```ruby
describe package('curl') do
@ -90,7 +90,7 @@ describe package('curl') do
end
```
* Compare arrays with only one entry to a value
- Compare arrays with only one entry to a value
```ruby
describe passwd.uids(0) do
@ -99,7 +99,7 @@ describe passwd.uids(0) do
end
```
* Single-value arrays of strings may also be compared to a regex
- Single-value arrays of strings may also be compared to a regex
```ruby
describe auditd_conf do
@ -107,7 +107,7 @@ describe auditd_conf do
end
```
* Improved printing of octal comparisons
- Improved printing of octal comparisons
```ruby
describe file('/proc/cpuinfo') do

16
docs-chef-io/content/inspec/migration.md
View file

@ -97,7 +97,7 @@ In addition Chef InSpec provides additional [resources](/inspec/resources/) that
For most cases, the migration to Chef InSpec is pretty straight forward. First, replace the current verifier in `kitchen.yml` configuration with:
```
```yaml
verifier:
name: inspec
```
@ -116,7 +116,7 @@ set :backend, :exec
Chef InSpec is now configured with Test-Kitchen:
```
```bash
kitchen verify package-install-centos-72
-----> Starting Kitchen (v1.14.2)
-----> Verifying <package-install-centos-72>...
@ -152,7 +152,7 @@ Some general recommendations:
Chef InSpec does not attach backend information to test files. All tests are defined independently of any backend. Therefore a Serverspec test file:
```
```ruby
require 'serverspec'
# Required by serverspec
@ -175,7 +175,7 @@ end
will become the following Chef InSpec test file:
```
```ruby
describe 'PHP' do
it 'has php' do
expect(command('php -v').exit_status).to eq(0)
@ -197,7 +197,7 @@ As you can see, the Chef InSpec test files just focuses on tests and tries to av
Serverspec and RSpec allow you to define nested describe blocks. We did a survey and found out that most users use nested describe blocks only to improve their output report. We believe the code structure should not change to improve the output of a report. Nevertheless we understand that nested describe blocks help you to structure test code. A sample code block looks like:
```
```ruby
describe 'chef-server-directories' do
describe file('/etc/opscode') do
it { should be_directory }
@ -234,7 +234,7 @@ tests
Each file can have a top-level description of its content:
```
```ruby
title "Chef Server Directories"
describe file('/etc/opscode') do
@ -267,7 +267,7 @@ Of course. We still prefer the `should` syntax for UX reasons. We did surveys wi
### `should` syntax with InSpec
```
```ruby
describe command('php -v') do
its('exit_status') { should eq 0 }
end
@ -283,7 +283,7 @@ end
### `expect` syntax with InSpec
```
```ruby
describe 'PHP' do
it 'has php' do
expect(command('php -v').exit_status).to eq(0)

4
docs-chef-io/content/inspec/platforms.md
View file

@ -43,7 +43,7 @@ for details.
Once you have your environment variables set, you can verify your credentials by running:
```bash
you$ inspec detect -t aws://
$ inspec detect -t aws://
== Platform Details
Name: aws
@ -70,7 +70,7 @@ profile named 'auditing', use `-t aws://us-east-2/auditing`.
To verify your credentials, run
```bash
you$ inspec detect -t aws://
$ inspec detect -t aws://
== Platform Details
Name: aws

4
docs-chef-io/content/inspec/plugins.md
View file

@ -76,9 +76,9 @@ inspec plugin install --source https://my.private.server inspec-private-plugin
### Chef InSpec Plugins
For details on how to author a Chef InSpec Plugin, see the
[developer documentation](https://github.com/inspec/inspec/blob/master/dev-docs/plugins.md)
[developer documentation](https://github.com/inspec/inspec/blob/main/dev-docs/plugins.md)
### Train Plugins
For details on how to author a Train Plugin, see the
[developer documentation](https://github.com/inspec/train/blob/master/docs/plugins.md)
[developer documentation](https://github.com/inspec/train/blob/main/docs/plugins.md)

22
docs-chef-io/content/inspec/profiles.md
View file

@ -41,7 +41,7 @@ where:
- `README.md` should be used to explain the profile, its scope, and usage
See a complete example profile in the Chef InSpec open source repository:
[Example Chef InSpec Profile](https://github.com/chef/inspec/tree/master/examples/profile)
[Example Chef InSpec Profile](https://github.com/chef/inspec/tree/main/examples/profile)
Also check out [Explore Chef InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/)
on Learn Chef Rally to learn more about how profiles are structured with hands-on-examples.
@ -132,25 +132,25 @@ supports:
- platform-name: debian
```
To target only Ubuntu version 14.04, use:
To target only Ubuntu version 20.04, use:
```YAML
name: ssh
supports:
- platform-name: ubuntu
release: 14.04
release: 20.04
```
To target the entire release of Ubuntu version 14.x, use:
To target the entire release of Ubuntu version 20.x, use:
```YAML
name: ssh
supports:
- platform-name: ubuntu
release: 14.*
release: 20.*
```
To target the entire RedHat platform (including CentOS and Oracle Linux), use:
To target the Red Hat and derivative platforms such as CentOS and Oracle Linux, use:
```YAML
name: ssh
@ -158,7 +158,7 @@ supports:
- platform-family: redhat
```
To target the entire Windows 2019 platform family including Datcenter and Core Servers, use:
To target the entire Windows 2019 platform family, including Datacenter and Core Servers, use:
```YAML
name: ssh
@ -181,7 +181,7 @@ name: ssh
supports:
- platform-name: debian
- platform-name: ubuntu
release: 14.04
release: 20.04
- platform-family: redhat
- platform: aws
```
@ -440,7 +440,7 @@ With `services.yml` containing:
The tests in `example.rb` can now access this file:
```Ruby
```ruby
my_services = yaml(content: inspec.profile.file('services.yml')).params
my_services.each do |s|
@ -485,7 +485,7 @@ end
The output of both of the above examples looks like this:
```text
```bash
File /tmp/test.txt
✔ should be a file
```
@ -504,7 +504,7 @@ end
... which will render the following output:
```text
```bash
test file
✔ should be a file
```

6
docs-chef-io/content/inspec/resources/_index.md
View file

@ -13,6 +13,8 @@ gh_repo = "inspec"
The following list of InSpec resources are available.
{{< inspec_resources_filter >}}
## OS
{{< inspec_resources platform="os" >}}
@ -29,6 +31,10 @@ The following resources work on Windows operating systems.
{{< inspec_resources platform="windows" >}}
## Alibaba
{{< inspec_resources platform="alicloud" >}}
## AWS
{{< inspec_resources platform="aws" >}}

24
docs-chef-io/content/inspec/resources/aide_conf.md
View file

@ -49,13 +49,29 @@ Use the where clause to match a selection_line to one rule or a particular set o
## Properties
- `conf_path`, `content`, `rules`, `all_have_rule`
### `rules`
## Property Examples
The `rules` property returns the list of rules set in the `aide.conf` file.
its('rules') { should include ['r', 'sha512'] }
### `all_have_rule`
The `all_have_rule` property returns the all selected lines from `aide.conf` file e.g. 'p', 'i' etc.
aide_conf.all_have_rule('sha512')
### `selection_lines`
The `selection_lines` property returns the list of lines from `aide.conf` file.
its('selection_lines') { should include '/sbin' }
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test if all selection lines contain the xattr rule
### Test if all selection lines contain the `xattr` rule
describe aide_conf.all_have_rule('xattr') do
it { should eq true }
@ -67,7 +83,7 @@ The following examples show how to use this Chef InSpec audit resource.
its('rules.flatten') { should include 'r' }
end
### Test whether selection line for /sbin consists of a particular set of rules
### Test whether the selection line for `/sbin` consists of a particular set of rules
describe aide_conf.where { selection_line == '/sbin' } do
its('rules') { should include ['r', 'sha512'] }

4
docs-chef-io/content/inspec/resources/apache_conf.md
View file

@ -19,6 +19,10 @@ Use the `apache_conf` Chef InSpec audit resource to test the configuration setti
This resource is distributed along with Chef InSpec itself. You can use it automatically.
### Requirements
`ServerRoot` must be included in an Apache configuration file. If not present, the included configurations will not be accessible to the resource.
### Version
This resource first became available in v1.0.0 of InSpec.

90
docs-chef-io/content/inspec/resources/aws_alb.md
View file

@ -1,90 +0,0 @@
+++
title = "aws_alb resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_alb"
identifier = "inspec/resources/aws/aws_alb.md aws_alb resource"
parent = "inspec/resources/aws"
+++
Use the `aws_alb` InSpec audit resource to test properties of a single AWS Application Load Balancer (ALB).
## Syntax
Ensure that an `aws_alb` exists
describe aws_alb('arn:aws:elasticloadbalancing') do
it { should exist }
end
describe aws_alb(load_balancer_arn: 'arn:aws:elasticloadbalancing') do
it { should exist }
end
## Parameters
### load_balancer_arn _(required)_
This resource accepts a single parameter, the ALB Arn which uniquely identifies the ALB.
This can be passed either as a string or as a `load_balancer_arn: 'value'` key-value entry in a hash.
See also the [AWS documentation on Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference).
## Properties
| Property | Description |
| ------------------------ | ---------------------------------------------------------------------------------- |
| load_balancer_name | The name of the load balancer. |
| load_balancer_addresses | A collectionm of the load balancer addresses. |
| canonical_hosted_zone_id | The ID of the Amazon Route 53 hosted zone for the load balancer. |
| dns_name | The DNS name of the load balancer. |
| availability_zones | The Availability Zones for the load balancer. |
| security_groups | The security groups for the load balancer. Valid only for load balancers in a VPC. |
| scheme | The type of load balancer. Valid only for load balancers in a VPC. |
| state | The state of the load balancer. |
| subnets | A collection of the subnet ids. |
| type | The type of the load balancer. |
| vpc_id | The ID of the VPC for the load balancer. |
| zone_names | A collection of the names of the availability zones. |
| listeners | A collection of the listeners for the load balancer. |
| ssl_policies | A list of the SSL Policies configured for the listeners of the load balancer. |
| external_ports | A list of the ports configured for the listeners of the load balancer. |
| protocols | A list of the protocols configured for the listeners of the load balancer. |
## Examples
### Test that an ALB has its availability zones configured correctly
describe aws_alb('arn::alb') do
its('zone_names.count') { should be > 1 }
its('zone_names') { should include 'us-east-2a' }
its('zone_names') { should include 'us-east-2b' }
end
## Matchers
This InSpec audit resource has no special matchers. For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_alb('AnExistingALB') do
it { should exist }
end
describe aws_alb('ANonExistentALB') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `elasticloadbalancing:DescribeLoadBalancers` action set to Allow.
You can find detailed documentation at [Authentication and Access Control for Your Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html)

76
docs-chef-io/content/inspec/resources/aws_albs.md
View file

@ -1,76 +0,0 @@
+++
title = "aws_albs resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_albs"
identifier = "inspec/resources/aws/aws_albs.md aws_albs resource"
parent = "inspec/resources/aws"
+++
Use the `aws_albs` InSpec audit resource to test the configuration of a collection of Application Load Balancers.
## Syntax
Ensure that an `aws_albs` exists
describe aws_albs do
its('load_balancer_arns') { should include 'arn:aws:elasticloadbalancing' }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference).
## Properties
| Property | Description |
| ------------------------- | ----------------------------------------------------------------------------------- |
| load_balancer_names | The names of the load balancers. |
| load_balancer_addresses | A collection of the load balancers addresses. |
| canonical_hosted_zone_ids | The IDs of the Amazon Route 53 hosted zone for the load balancers. |
| dns_names | The DNS names of the load balancers. |
| availability_zones | The Availability Zones for the load balancers. |
| security_groups | The security groups for the load balancers. Valid only for load balancers in a VPC. |
| schemes | The types of load balancers. Valid only for load balancers in a VPC. |
| states | The states of the load balancers. |
| subnets | A collection of the subnet ids. |
| types | The types of the load balancers. |
| vpc_ids | The IDs of the VPCs for the load balancers. |
| zone_names | A collection of the names of the availability zones. |
## Examples
### Test that an ALB has its availability zones configured correctly
describe aws_alb('arn::alb') do
its('zone_names.count') { should be > 1 }
its('zone_names') { should include 'us-east-2a' }
its('zone_names') { should include 'us-east-2b' }
end
## Matchers
This InSpec audit resource has no special matchers. For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_albs do
it { should exist }
its('availability_zones') { should_not include 'us-east-1a'}
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `elasticloadbalancing:DescribeLoadBalancers` action set to Allow.
You can find detailed documentation at [Authentication and Access Control for Your Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html)

90
docs-chef-io/content/inspec/resources/aws_auto_scaling_group.md
View file

@ -1,90 +0,0 @@
+++
title = "aws_auto_scaling_group resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_auto_scaling_group"
identifier = "inspec/resources/aws/aws_auto_scaling_group.md aws_auto_scaling_group resource"
parent = "inspec/resources/aws"
+++
Use the `aws_auto_scaling_group` InSpec audit resource to test properties of a single AWS Auto Scaling group.
## Syntax
Ensure that an auto scaling group exists and has the correct scale sizes
describe aws_auto_scaling_group('MyAutoScalingGroup') do
it { should exist }
its('min_size') { should be 1}
its('max_size') { should be 4}
end
You may also use hash syntax to pass the auto scaling group name
describe aws_auto_scaling_group(name: 'MyAutoScalingGroup') do
it { should exist }
end
## Parameters
### name _(required)_
This resource accepts a single parameter, the Auto Scaling Group Name which uniquely identifies the auto scaling group.
This can be passed either as a string or as a `name: 'value'` key-value entry in a hash.
See also the [AWS documentation on Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html).
## Properties
| Property | Description |
| ------------------------- | ------------------------------------------------------------------------------------------ |
| min_size | An integer indicating the minimum number of instances in the auto scaling group |
| maximum_size | An integer indicating the maximum number of instances in the auto scaling group |
| desired_capacity | An integer indicating the desired number of instances in the auto scaling group |
| launch_configuration_name | The name of the auto scaling launch configuration associated with the auto scaling group |
| vpc_zone_identifier | An array of strings corresponding to the subnet IDs associated with the auto scaling group |
| tags | An hash with each key-value pair corresponding to a tag associated with the entity |
## Examples
### Ensure that an auto scaling group has the correct desired capacity
describe aws_auto_scaling_group('MyAutoScalingGroup') do
it { should exist }
its('desired_capacity') { should be 2 }
end
### Ensure that an auto scaling group has the correct Launch Configuration name and VPC identifier
describe aws_auto_scaling_group('MyAutoScalingGroup') do
it { should exist }
its('launch_configuration_name') { should eq 'MyLaunchConfiguration'}
its('vpc_zone_identifier') { should include 'subnet-1234'}
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_auto_scaling_group('AnExistingASG') do
it { should exist }
end
describe aws_auto_scaling_group('ANonExistentASG') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `autoscaling:Describe*` actions with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Auto Scaling Groups](https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html).

73
docs-chef-io/content/inspec/resources/aws_auto_scaling_groups.md
View file

@ -1,73 +0,0 @@
+++
title = "aws_auto_scaling_groups resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_auto_scaling_groups"
identifier = "inspec/resources/aws/aws_auto_scaling_groups.md aws_auto_scaling_groups resource"
parent = "inspec/resources/aws"
+++
Use the `aws_auto_scaling_groups` InSpec audit resource to test the properties of a collection of AWS Auto Scaling Groups.
## Syntax
An `aws_auto_scaling_groups` resource block returns all Auto Scaling Groups and allows the testing of those ASGs.
describe aws_auto_scaling_groups do
its('names') { should include 'group-name' }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html).
## Properties
| Property | Description |
| -------------------------- | -------------------------------------------------------------------------------------------- |
| min_sizes | An integer indicating the minimum number of instances in the auto scaling group |
| max_sizes | An integer indicating the maximum number of instances in the auto scaling group |
| desired_capacities | An integer indicating the desired number of instances in the auto scaling group |
| launch_configuration_names | The name of the auto scaling launch configuration associated with the auto scaling group |
| vpc_zone_identifiers | An array of strings corresponding to the subnet IDs associated with the auto scaling group |
| health_check_types | The service to use for the health checks. The valid values are EC2 and ELB. |
| tags | A hash of key-value pairs corresponding to the tags associated with the entity. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
## Examples
### Ensure there are no groups with incorrect vpc_zone_identifiers.
describe aws_auto_scaling_groups do
it { should exist }
its('vpc_zone_identifiers') { should_not include 'UNDESIRED-ZONE'}
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_auto_scaling_groups.where( <property>: <value>) do
it { should exist }
end
describe aws_auto_scaling_groups.where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `autoscaling:Describe*` actions with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon Auto Scaling Groups](https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html).

95
docs-chef-io/content/inspec/resources/aws_cloudformation_stack.md
View file

@ -1,95 +0,0 @@
+++
title = "aws_cloudformation_stack resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_cloudformation_stack"
identifier = "inspec/resources/aws/aws_cloudformation_stack.md aws_cloudformation_stack resource"
parent = "inspec/resources/aws"
+++
Use the `aws_cloudformation_stack` InSpec audit resource to test properties of a single AWS Cloud Formation Stack.
## Syntax
Ensure that an `aws_cloudformation_stack` exists
describe aws_cloudformation_stack('stack-name') do
it { should exist }
end
describe aws_cloudformation_stack(stack_name: 'stack-name') do
it { should exist }
end
## Parameters
### stack_name _(required)_
This resource accepts a single parameter, the CloudFormation Stack name which uniquely identifies the stack.
This can be passed either as a string or as a `stack_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on Cloud Formation](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/Welcome.html).
## Properties
|Property | Description|
| --- | --- |
|stack\_id | Unique identifier of the stack. |
|stack\_name | The name associated with the stack. |
|change\_set\_id | The unique ID of the change set. |
|description | A user-defined description associated with the stack. |
|parameters | A list of Parameter structures. |
|creation\_time | The time at which the stack was created. |
|deletion\_time | The time the stack was deleted. |
|last\_updated\_time | The time the stack was last updated. |
|rollback\_configuration | The rollback triggers for AWS CloudFormation to monitor during stack creation and updating operations, and for the specified monitoring period afterwards. |
|stack\_status | Current status of the stack. |
|stack\_status\_reason | Success/failure message associated with the stack status. |
|drift\_information | Information on whether a stack's actual configuration differs, or has drifted, from it's expected configuration, as defined in the stack template and any values specified as template parameters. |
|disable\_rollback | Boolean to enable or disable rollback on stack creation failures: |
|notification\_arns | SNS topic ARNs to which stack related events are published. |
|timeout\_in\_minutes | The amount of time within which stack creation should complete. |
|capabilities | The capabilities allowed in the stack. |
|outputs | A list of output structures. |
|role\_arn | The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that is associated with the stack. |
|tags | A list of Tags that specify information about the stack. |
|enable\_termination\_protection | Whether termination protection is enabled for the stack. |
|parent\_id | For nested stacks--stacks created as resources for another stack--the stack ID of the direct parent of this stack. |
|root\_id | For nested stacks--stacks created as resources for another stack--the stack ID of the the top-level stack to which the nested stack ultimately belongs. |
## Examples
### Test that a CloudFormation Stack has its stack_status configured correctly
describe aws_cloudformation_stack('stack_name') do
its ('stack_status') { should eq 'CREATE_COMPLETE' }
end
## Matchers
This InSpec audit resource has no special matchers. For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_cloudformation_stack('AnExistingStack') do
it { should exist }
end
describe aws_cloudformation_stack('ANonExistentStack') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `cloudformation:DescribeStacks` action set to Allow.
You can find detailed documentation at [Authentication and Access Control for CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html)

124
docs-chef-io/content/inspec/resources/aws_cloudtrail_trail.md
View file

@ -1,124 +0,0 @@
+++
title = "aws_cloudtrail_trail resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_cloudtrail_trail"
identifier = "inspec/resources/aws/aws_cloudtrail_trail.md aws_cloudtrail_trail resource"
parent = "inspec/resources/aws"
+++
Use the `aws_cloudtrail_trail` InSpec audit resource to test properties of a single AWS CloudTrail.
## Syntax
An `aws_cloudtrail_trail` resource block identifies a trail by `trail_name`.
# Find a trail by name
describe aws_cloudtrail_trail('trail-name') do
it { should exist }
end
# Hash syntax for trail name
describe aws_cloudtrail_trail(trail_name: 'trail-name') do
it { should exist }
end
## Parameters
### trail_name _(required)_
This resource expects a single parameter, the CloudTrail Name which uniquely identifies it.
This can be passed either as a string or as a `trail_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on CloudTrail](https://docs.aws.amazon.com/cloudtrail/index.html#lang/en_us).
## Properties
|Property | Description|
| --- | --- |
|trail\_arn | Specifies the ARN of the trail. |
|trail\_name | Name of the trail. |
|home\_region | The region in which the trail was created. |
|s3\_bucket\_name | Name of the Amazon S3 bucket into which CloudTrail delivers your trail files. |
|cloud\_watch\_logs\_role\_arn | Specifies the role for the CloudWatch Logs endpoint to assume to write to a user's log group. |
|cloud\_watch\_logs\_log\_group\_arn | Specifies an Amazon Resource Name (ARN), a unique identifier that represents the log group to which CloudTrail logs will be delivered. |
|kms\_key\_id | Specifies the KMS key ID that encrypts the logs delivered by CloudTrail. |
## Examples
### Test that the specified trail does exist
describe aws_cloudtrail_trail('my-cloudtrail') do
it { should exist }
end
describe aws_cloudtrail_trail(trail_name: 'my-cloudtrail') do
it { should exist }
end
### Check the KMS key used to encrypt
describe aws_cloudtrail_trail('my-cloudtrail') do
its('kms_key_id') { should eq "my-kms-key" }
end
### Check the Home Region is correct
describe aws_cloudtrail_trail('my-cloudtrail') do
its('home_region') { should eq 'us-east-1' }
end
### Test that the specified trail is a multi-region trail
describe aws_cloudtrail_trail('my-cloudtrail') do
it { should be_multi_region_trail }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
# Verify that at least one CloudTrail Trail exists.
describe aws_cloudtrail_trail('my-cloudtrail') do
it { should exist }
end
### be_multi_region_trail
The test will pass if the identified trail is a multi-region trail.
describe aws_cloudtrail_trail('my-cloudtrail') do
it { should be_multi_region_trail }
end
### be_encrypted
The test will pass if the logs delivered by the identified trail are encrypted.
describe aws_cloudtrail_trail('my-cloudtrail') do
it { should be_encrypted }
end
### be_log_file_validation_enabled
The test will pass if the identified trail has log file integrity validation is enabled.
describe aws_cloudtrail_trail('my-cloudtrail') do
it { should be_log_file_validation_enabled }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `cloudtrail:DescribeTrails` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloudtrail.html).

74
docs-chef-io/content/inspec/resources/aws_cloudtrail_trails.md
View file

@ -1,74 +0,0 @@
+++
title = "aws_cloudtrail_trails resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_cloudtrail_trails"
identifier = "inspec/resources/aws/aws_cloudtrail_trails.md aws_cloudtrail_trails resource"
parent = "inspec/resources/aws"
+++
Use the `aws_cloudtrail_trails` InSpec audit resource to test properties of a collection of AWS CloudTrail Trails.
## Syntax
An `aws_cloudtrail_trails` resource block returns all CloudTrail Trails and allows the testing of those trails.
describe aws_cloudtrail_trails do
it { should exist }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html).
## Properties
| Property | Description |
| ---------- | -------------------------------------------------------------------------------------------- |
| trail_arns | Specifies the ARNs of the trails. |
| names | The names of the trails. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
## Examples
### Ensure a CloudTrail with a specific name exists
describe aws_cloudtrail_trails do
its('names') { should include('trail-1') }
end
### Ensure a CloudTrail with a specific arn exists
describe aws_cloudtrail_trails do
its('trail_arns') { should include('arn:aws:cloudtrail:us-east-1::trail/trail-1') }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_cloudtrail_trails do
it { should exist }
end
describe aws_cloudtrail_trails do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `cloudtrail:DescribeTrails` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS CloudTrail](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloudtrail.html).

85
docs-chef-io/content/inspec/resources/aws_cloudwatch_alarm.md
View file

@ -1,85 +0,0 @@
+++
title = "aws_cloudwatch_alarm resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_cloudwatch_alarm"
identifier = "inspec/resources/aws/aws_cloudwatch_alarm.md aws_cloudwatch_alarm resource"
parent = "inspec/resources/aws"
+++
Use the `aws_cloudwatch_alarm` InSpec audit resource to test properties of a single CloudWatch Alarm.
**If more than one Alarm matches, an error will be raised.**
## Syntax
### Ensure an Alarm exists.
aws_cloudwatch_alarm(metric_name: 'my-metric-name', metric_namespace: 'my-metric-namespace') do
it { should exist }
end
## Parameters
### metric_name _(required)_
The metric name used by this alarm. This must be passed as a `metric_name: 'value'` key-value entry in a hash.
### metric_namespace _(required)_
The metric namespace used by this alarm. This must be passed as a `metric_namespace: 'value'` key-value entry in a hash.
### dimensions _(optional)_
The dimensions associated with this alarm. This must be passed as an array of hashes `dimensions: [{key:'value'}]` .
## Properties
| Property | Description |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| alarm_actions | The actions to execute when this alarm transitions to the ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN). |
| alarm_name | The name of the alarm. |
| metric_name | The name of the metric. |
| metric_namespace | The namespace of the metric. |
## Examples
### Ensure an Alarm has at least one alarm action
describe aws_cloudwatch_alarm(metric_name: 'my-metric-name', metric_namespace: 'my-metric-namespace') do
its('alarm_actions') { should_not be_empty }
end
### Ensure an Alarm with Dimensions exists
describe aws_cloudwatch_alarm(metric_name: 'my-metric-name', metric_namespace: 'my-metric-namespace', dimensions: [{key: 'value'}]) do
it { should exist }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_cloudwatch_alarm(metric_name: 'good-metric', metric_namespace: 'my-metric-namespace') do
it { should exist }
end
describe aws_cloudwatch_alarm(metric_name: 'bed-metric', metric_namespace: 'my-metric-namespace') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `cloudwatch:DescribeAlarmsForMetric` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon CloudWatch](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatch.html).

56
docs-chef-io/content/inspec/resources/aws_cloudwatch_log_group.md
View file

@ -1,56 +0,0 @@
+++
title = "aws_cloudwatch_log_group resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_cloudwatch_log_group"
identifier = "inspec/resources/aws/aws_cloudwatch_log_group.md aws_cloudwatch_log_group resource"
parent = "inspec/resources/aws"
+++
Use the `aws_cloudwatch_log_group` InSpec audit resource to test properties of a single AWS CloudWatch Log Group.
## Syntax
Ensure that an `aws_cloudwatch_log_group` exists
describe aws_cloudwatch_log_group('my_log_group') do
it { should exist }
end
describe aws_cloudwatch_log_group(log_group_name: 'my_log_group') do
it { should exist }
end
## Parameters
### log_group_name _(required)_
This resource accepts a single parameter, the log group name which uniquely identifies the CloudWatch Log Group.
This can be passed either as a string or as a `log_group_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeLogGroups.html).
## Properties
| Property | Description |
| ----------------- | ------------------------------------------------------------------------- |
| retention_in_days | The number of days to retain the log events in the specified log group |
| kms_key_id | The Amazon Resource Name (ARN) of the CMK to use when encrypting log data |
| tags | The tags for the log group. |
### Test tags on the CloudWatch Log Group
describe aws_cloudwatch_log_group('my_log_group') do
its('tags') { should include(:Environment => 'env-name',
:Name => 'my_log_group')}
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `logs:DescribeLogGroups` and `logs:ListTagsLogGroup` actions with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon CloudWatch Logs](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatchlogs.html).

108
docs-chef-io/content/inspec/resources/aws_cloudwatch_log_metric_filter.md
View file

@ -1,108 +0,0 @@
+++
title = "aws_cloudwatch_log_metric_filter resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_cloudwatch_log_metric_filter"
identifier = "inspec/resources/aws/aws_cloudwatch_log_metric_filter.md aws_cloudwatch_log_metric_filter resource"
parent = "inspec/resources/aws"
+++
Use the `aws_cloudwatch_log_metric_filter` InSpec audit resource to search for and test properties of individual AWS Cloudwatch Log Metric Filters.
## Syntax
describe aws_cloudwatch_log_metric_filter(filter_name: 'my-filter', log_group_name: 'my-log-group') do
it { should exist }
end
describe aws_cloudwatch_log_metric_filter(log_group_name: 'my-log-group', pattern: 'my-filter') do
it { should exist }
end
## Parameters
**Note**: _While all parameters are optional, at least one must be provided. In practice, the more parameters you provide the narrower a result you will return._
### filter*name *(optional)\_
The name of the Log Metric Filter. Expected in a hash as `filter_name: 'value'`.
### log*group_name *(optional)\_
The log group of the filter. Expected in a hash as `log_group_name: 'value'`.
### pattern _(optional)_
A pattern by which to narrow down the result-set, if you expect multiple results. Expected in a hash as `pattern: 'value'`.
See also the [AWS documentation on CloudWatch](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatch.html).
## Properties
| Property | Description |
| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| filter_name | The name of the metric filter. |
| log_group_name | The name of the log group. |
| metric_name | The name of the metric. |
| metric_namespace | The namespace of the metric. |
| pattern | A symbolic description of how CloudWatch Logs should interpret the data in each log event. For example, a log event may contain timestamps, IP addresses, strings, and so on. You use the filter pattern to specify what to look for in the log event message. |
## Examples
### Ensure a Filter exists
describe aws_cloudwatch_log_metric_filter(filter_name: 'my-filter', log_group_name: 'my-log-group') do
it { should exist }
end
### Ensure a Filter exists for a specific pattern
describe aws_cloudwatch_log_metric_filter(pattern: '"ERROR" - "Exiting"') do
it { should exist }
end
### Check the name of a Filter
describe aws_cloudwatch_log_metric_filter(log_group_name: 'app-log-group', pattern: 'KERBLEWIE') do
its('filter_name') { should eq 'kaboom_lmf' }
end
### Check the Log Group name of a Filter
describe aws_cloudwatch_log_metric_filter(filter_name: 'error-watcher') do
its('log_group_name') { should eq 'app-log-group' }
end
### Check a filter has the correct pattern
describe aws_cloudwatch_log_metric_filter(filter_name: 'error-watcher', log_group_name: 'app-log-group') do
its('pattern') { should cmp 'ERROR' }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_cloudwatch_log_metric_filter(log_group_name: 'my-log-group') do
it { should exist }
end
describe aws_cloudwatch_log_metric_filter(log_group_name: 'i-dont-exist') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `cloudwatch:DescribeAlarmsForMetric` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon CloudWatch](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazoncloudwatch.html).

91
docs-chef-io/content/inspec/resources/aws_config_delivery_channel.md
View file

@ -1,91 +0,0 @@
+++
title = "aws_config_delivery_channel resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_config_delivery_channel"
identifier = "inspec/resources/aws/aws_config_delivery_channel.md aws_config_delivery_channel resource"
parent = "inspec/resources/aws"
+++
The AWS Config service can monitor and record changes to your AWS resource configurations. A Delivery Channel can record the changes
to an S3 Bucket, an SNS or both.
Use the `aws_config_delivery_channel` InSpec audit resource to examine how the AWS Config service delivers those change notifications.
One delivery channel is allowed per region per AWS account, and the delivery channel is required to use AWS Config.
## Syntax
describe aws_config_delivery_channel('my_channel') do
it { should exist }
end
describe aws_config_delivery_channel(channel_name: 'my-channel') do
it { should exist }
end
Since you may only have one Delivery Channel per region, and InSpec connections are per-region, you may also omit the `channel_name` to obtain the one Delivery Channel (if any) that exists:
describe aws_config_delivery_channel do
it { should exist }
end
## Parameters
### channel_name _(optional)_
This resource can be passed a single parameter, the Channel Name.
This can be passed either as a string or as a `channel_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on Delivery Channels](https://docs.aws.amazon.com/config/latest/developerguide/manage-delivery-channel.html).
## Properties
| Property | Description |
| --------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| channel_name | The name of the delivery channel. By default, AWS Config assigns the name "default" when creating the delivery channel. |
| s3_bucket_name | The name of the Amazon S3 bucket to which AWS Config delivers configuration snapshots and configuration history files. |
| s3_key_prefix | The prefix for the specified Amazon S3 bucket. |
| sns_topic_arn | The Amazon Resource Name (ARN) of the Amazon SNS topic to which AWS Config sends notifications about configuration changes. |
| delivery_frequency_in_hours | Specifies how often the AWS Config sends configuration changes to the s3 bucket in the delivery channel. |
## Examples
### Test how frequently the channel writes configuration changes to the s3 bucket
describe aws_config_delivery_channel(channel_name: 'my-recorder') do
its('delivery_frequency_in_hours') { should be > 3 }
end
### Ensure configuration change notifications are being delivered to the correct bucket and key
describe aws_config_delivery_channel(channel_name: 'my_channel')
its('s3_bucket_name') { should eq 'my_bucket' }
its('s3_key_prefix') { should eq 'logs/' }
end
## Matchers
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_config_delivery_channel('my_channel') do
it { should exist }
end
describe aws_config_delivery_channel('my-nonexistent-channel') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `config:DescribeDeliveryChannels` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Config](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsconfig.html).

103
docs-chef-io/content/inspec/resources/aws_config_recorder.md
View file

@ -1,103 +0,0 @@
+++
title = "aws_config_recorder resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_config_recorder"
identifier = "inspec/resources/aws/aws_config_recorder.md aws_config_recorder resource"
parent = "inspec/resources/aws"
+++
Use the `aws_config_recorder` InSpec audit resource to test properties of your AWS Config Service.
The AWS Config service can monitor and record changes to your AWS resource configurations. The Aws Config Recorder is used to detect changes in resource configurations and capture these changes as configuration items.
As of April 2018, you are only permitted one configuration recorder per region.
## Syntax
Ensure that an auto scaling group exists and has the correct scale sizes
describe aws_config_recorder('my-recorder') do
it { should exist }
end
You may also use hash syntax to pass the recorder name
describe aws_config_recorder(recorder_name: 'my-recorder') do
it { should exist }
end
Since you may only have one recorder per region, and InSpec connections are per-region, you may also omit the recorder name to obtain the one recorder (if any) that exists:
describe aws_config_recorder do
it { should exist }
end
## Parameters
### recorder_name _(optional)_
This resource accepts a single parameter, the Configuration Recorder Name.
This can be passed either as a string or as a `recorder_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on Configuration](https://docs.aws.amazon.com/config/latest/developerguide/aws-config-landing-page.html).
## Properties
| Property | Description |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| recorder_name | The name of the recorder. By default, AWS Config automatically assigns the name "default" when creating the configuration recorder. You cannot change the assigned name. |
| role_arn | Amazon Resource Name (ARN) of the IAM role used to describe the AWS resources associated with the account. |
| resource_types | A comma-separated list that specifies the types of AWS resources for which AWS Config records configuration changes (i.e. AWS::EC2::Instance) |
## Examples
### Test if the recorder is active and recording
describe aws_config_recorder do
it { should be_recording }
end
### Ensure the role_arn is correct for the recorder
The role is used to grant permissions to S3 Buckets, SNS topics and to get configuration details for supported AWS resources.
describe aws_config_recorder do
its('role_arn') { should eq 'arn:aws:iam::721741954427:role/My_Recorder' }
end
### Test the recorder is monitoring changes to the correct resources.
describe aws_config_recorder do
its('resource_types') { should include 'AWS::EC2::CustomerGateway' }
its('resource_types') { should include 'AWS::EC2::EIP' }
end
## Matchers
### be_recording
Ensure the recorder is active
it { should be_recording }
### be_recording_all_resource_types
Indicates if the ConfigurationRecorder will record changes for all resources, regardless of type. If this is true, resource_types is ignored.
it { should be_recording_all_resource_types }
### be_recording_all_global_types
Indicates whether the ConfigurationRecorder will record changes for global resource types (such as [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)s).
it { should be_recording_all_global_types }
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `config:DescribeConfigurationRecorders` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for AWS Config](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsconfig.html).

78
docs-chef-io/content/inspec/resources/aws_db_subnet_group.md
View file

@ -1,78 +0,0 @@
+++
title = "aws_db_subnet_group resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_db_subnet_group"
identifier = "inspec/resources/aws/aws_db_subnet_group.md aws_db_subnet_group resource"
parent = "inspec/resources/aws"
+++
Use the `aws_db_subnet_group` InSpec audit resource to test properties of a db subnet group.
## Syntax
An `aws_db_subnet_group` resource block uses the parameter to select a subnet group.
describe aws_db_subnet_group(db_subnet_group_name: 'subnet-group-name-12345') do
it { should exist }
end
## Parameters
### db_subnet_group_name _(required)_
This resource accepts a single parameter, the DB Subnet Group Name.
This can be passed either as a string or as a `aws_db_subnet_group: 'value'` key-value entry in a hash.
See also the [AWS documentation on DB Subnet Groups](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets).
## Properties
| Property | Description |
| --------------------------- | ------------------------------------------------- |
| db_subnet_group_name | The name of the DB subnet group. |
| db_subnet_group_description | Provides the description of the DB subnet group. |
| vpc_id | Provides the VPC ID of the DB subnet group. |
| subnet_group_status | Provides the status of the DB subnet group. |
| subnets | Contains a list of Subnet elements. |
| db_subnet_group_arn | The Amazon Resource Name for the DB subnet group. |
For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBSubnetGroup.html)
## Examples
### Check DB Subnet Group Name of a subnet group
describe aws_db_subnet_group(db_subnet_group_name: 'subnet-group-name-12345') do
its('db_subnet_group_name') { should eq 'subnet-group-name-12345' }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_db_subnet_group(db_subnet_group_name: 'subnet-group-name-12345') do
it { should exist }
end
describe aws_rds_cluster(db_cluster_identifier: 'subnet-group-name-6789') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `rds:DescribeDBSubnetGroup` action with Effect set to Allow.
You can find detailed documentation at
[Actions, Resources, and Condition Keysfor Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html).

77
docs-chef-io/content/inspec/resources/aws_db_subnet_groups.md
View file

@ -1,77 +0,0 @@
+++
title = "aws_db_subnet_groups resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_db_subnet_groups"
identifier = "inspec/resources/aws/aws_db_subnet_groups.md aws_db_subnet_groups resource"
parent = "inspec/resources/aws"
+++
Use the `aws_db_subnet_groups` InSpec audit resource to test properties of a collection of AWS RDS subnet groups.
RDS gives you access to the capabilities of a MySQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle, or Amazon Aurora database server.
## Syntax
Ensure you have exactly 3 subnet groups
describe aws_db_subnet_groups do
its('db_subnet_group_names.count') { should cmp 3 }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on RDS](https://docs.aws.amazon.com/rds/?id=docs_gateway).
## Properties
| Property | Description |
| ---------------------------- | ------------------------------------------------- |
| db_subnet_group_names | The name of the DB subnet group. |
| db_subnet_group_descriptions | Provides the description of the DB subnet group. |
| vpc_ids | Provides the VPC ID of the DB subnet group. |
| subnet_group_status | Provides the status of the DB subnet group. |
| subnets | Contains a list of Subnet elements. |
| db_subnet_group_arns | The Amazon Resource Name for the DB subnet group. |
For a comprehensive list of properties available, see [the API reference documentation](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DBSubnetGroup.html)
## Examples
### Ensure DB Subnet Group Name of a subnet group exists
describe aws_db_subnet_groups do
its('db_subnet_group_names') { should include 'subnet-group-name' }
end
## Matchers
For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_db_subnet_groups.where( <property>: <value> ) do
it { should exist }
end
describe aws_db_subnet_groups.where( <property>: <value> ) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `rds:DescribeDBSubnetGroups` action with Effect set to Allow.
You can find detailed documentation at
[Actions, Resources, and Condition Keys for Amazon RDS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonrds.html).

57
docs-chef-io/content/inspec/resources/aws_dhcp_options.md
View file

@ -1,57 +0,0 @@
+++
title = "aws_dhcp_options resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_dhcp_options"
identifier = "inspec/resources/aws/aws_dhcp_options.md aws_dhcp_options resource"
parent = "inspec/resources/aws"
+++
Use the `aws_dhcp_options` InSpec audit resource to test properties of a single AWS DHCP Options.
## Syntax
Ensure that an `aws_dhcp_options` exists
describe aws_dhcp_options('dopt-0123456789abcdefg') do
it { should exist }
end
describe aws_dhcp_options(dhcp_options_id: 'dopt-0123456789abcdefg') do
it { should exist }
end
## Parameters
### dhcp_options_id _(required)_
This resource accepts a single parameter, the DHCP Options ID which uniquely identifies the DHCP Options.
This can be passed either as a string or as a `dhcp_options_id: 'value'` key-value entry in a hash.
See also the [AWS documentation on EC2](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeDhcpOptions.html).
## Properties
| Property | Description |
| ------------------- | --------------------------------------------------------- |
| dhcp_configurations | The list of dhcp configurations |
| domain_name_servers | The list of domain name servers in the dhcp configuration |
| ntp_servers | The list of ntp servers in the dhcp configuration |
| tags | The tags of the DHCP Options. |
### Test tags on the DHCP Options
describe aws_dhcp_options('dopt-0123456789abcdefg') do
its('tags') { should include(:Environment => 'env-name',
:Name => 'dhcp-options-name')}
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeDhcpOptions` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html).

105
docs-chef-io/content/inspec/resources/aws_dynamodb_table.md
View file

@ -1,105 +0,0 @@
+++
title = "aws_dynamodb_table resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_dynamodb_table"
identifier = "inspec/resources/aws/aws_dynamodb_table.md aws_dynamodb_table resource"
parent = "inspec/resources/aws"
+++
Use the `aws_dynamodb_table` InSpec audit resource to test properties of a single DynamoDb Table.
## Syntax
### Ensure an DynamoDb Table exists.
describe aws_dynamodb_table(table_name: 'table-name') do
it { should exist }
end
## Parameters
### table_name _(required)_
The table name used by this DynamoDb Table. This must be passed as a `table_name: 'value'` key-value entry in a hash.
## Properties
| Property | Description |
| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| table_name | The name of the DynamoDb Table. |
| table_status | The status of the DynamoDb Table. |
| table_arn | The Amazon Resource Names of the DynamoDb Table. |
| creation_date | The date the DynamoDb Table was created. eg. `01/01/2019` |
| number_of_decreases_today | The number of provisioned throughput decreases for this table during this UTC calendar day. |
| write_capacity_units | The maximum number of writes consumed per second before DynamoDb returns a ThrottlingException. |
| read_capacity_units | The maximum number of strongly consistent reads consumed per second before DynamoDb returns a ThrottlingException. |
| item_count | The number of entries in the DynamoDb Table. |
| attributes | An array of attributes that describe the key schema for the table and indexes. This is returned as a hash. Each entry is composed of: `attribute_name` - The name of this key attribute. `attribute_type` - The datatype of the attribute : `B` - Boolean, `N` - Number, `S` - string |
| key_schema | Specifies the attributes that make up the primary key for a table or an index. This is returned as a hash. The attributes in KeySchema must also be defined in the Attributes array. Each element in the KeySchemaElement array is composed of: `attribute_name` - The name of this key attribute. `key_type` - The role that the key attribute will assume: `HASH` - partition key, `RANGE` - sort key |
| global_secondary_indexes | A list of global secondary indexes if there is any referenced on the selected table. |
## Examples
### Ensure DynamoDb Table status is active
describe aws_dynamodb_table(table_name: 'table-name') do
its('table_status') { should eq 'ACTIVE' }
end
### Ensure DynamoDb Table has an attribute
describe aws_dynamodb_table(table_name: 'table-name') do
its('attributes') { should_not be_empty }
its('attributes') { should include({:attribute_name =>'table_field', :attribute_type =>'N'}) }
end
### Ensure DynamoDb Table has a key_schema
describe aws_dynamodb_table(table_name: 'table-name') do
its('key_schema') { should_not be_empty }
its('key_schema') { should include({:attribute_name =>'table_field', :key_type =>'HASH'}) }
end
### Ensure DynamoDb Table has the correct global secondary indexes set
aws_dynamodb_table(table_name: 'table-name').global_secondary_indexes.each do |global_sec_idx|
describe global_sec_idx do
its('index_name') { should eq 'TitleIndex' }
its('index_status') { should eq 'ACTIVE' }
its('key_schema') { should include({:attribute_name =>'Title', :key_type =>'HASH'}) }
its('provisioned_throughput.write_capacity_units') { should cmp 10 }
its('provisioned_throughput.read_capacity_units') { should cmp 10 }
its('projection.projection_type') { should eq 'INCLUDE' }
end
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_dynamodb_table(table_name: 'table-name') do
it { should exist }
end
describe aws_dynamodb_table(table_name: 'table-name') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `DynamoDB::DescribeTable` action with Effect set to Allow.
You can find detailed documentation at
[Actions, Resources, and Condition Keys for Amazon Dynamodb](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazondynamodb.html).

107
docs-chef-io/content/inspec/resources/aws_ebs_volume.md
View file

@ -1,107 +0,0 @@
+++
title = "aws_ebs_volume resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ebs_volume"
identifier = "inspec/resources/aws/aws_ebs_volume.md aws_ebs_volume resource"
parent = "inspec/resources/aws"
+++
Use the `aws_ebs_volume` InSpec audit resource to test properties of a single AWS EBS volume.
## Syntax
Ensure an EBS exists
describe aws_ebs_volume('vol-01a2349e94458a507') do
it { should exist }
end
You may also use hash syntax to pass the EBS volume name
describe aws_ebs_volume(name: 'data-vol') do
it { should exist }
end
## Parameters
This resource accepts a single parameter, either the EBS Volume name or id. At least one must be provided.
### volume_id _(required if `name` not provided)_
The EBS Volume ID which uniquely identifies the volume.
This can be passed as either a string or an `volume_id: 'value'` key-value entry in a hash.
### name _(required if `volume_id` not provided)_
The EBS Volume Name which uniquely identifies the volume.
This must be passed as a `name: 'value'` key-value entry in a hash.
See also the [AWS documentation on EBS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html).
## Properties
| Property | Description |
| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| availability_zone | The Availability Zone for the volume. |
| encrypted | Indicates whether the volume will be encrypted. |
| iops | The number of I/O operations per second (IOPS) that the volume supports. |
| kms_key_id | The full ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume. |
| size | The size of the volume, in GiBs. |
| snapshot_id | The snapshot from which the volume was created, if applicable. |
| status | The volume state. |
| volume_type | The volume type. |
## Examples
### Test that an EBS Volume does not exist
describe aws_ebs_volume(name: 'data_vol') do
it { should_not exist }
end
### Test that an EBS Volume is encrypted
describe aws_ebs_volume(name: 'secure_data_vol') do
it { should be_encrypted }
end
### Test that an EBS Volume the correct size
describe aws_ebs_volume(name: 'data_vol') do
its('size') { should cmp 32 }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_ebs_volume(name: 'data_vol') do
it { should exist }
end
describe aws_ebs_volume(name: 'data_vol') do
it { should_not exist }
end
### be_encrypted
The `be_encrypted` matcher tests if the described EBS Volume is encrypted.
it { should be_encrypted }
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeVolumes`, and `iam:GetInstanceProfile` actions set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

75
docs-chef-io/content/inspec/resources/aws_ebs_volumes.md
View file

@ -1,75 +0,0 @@
+++
title = "aws_ebs_volumes resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ebs_volumes"
identifier = "inspec/resources/aws/aws_ebs_volumes.md aws_ebs_volumes resource"
parent = "inspec/resources/aws"
+++
Use the `aws_ebs_volumes` InSpec audit resource to test properties of a collection of AWS EBS volumes.
EBS volumes are persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud.
## Syntax
Ensure you have exactly 3 volumes
describe aws_ebs_volumes do
its('volume_ids.count') { should cmp 3 }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on EBS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html).
## Properties
| Property | Description |
| ---------- | -------------------------------------------------------------------------------------------- |
| volume_ids | The unique IDs of the EBS Volumes returned. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
## Examples
#####Ensure a specific volume exists
describe aws_ebs_volumes do
its('volume_ids') { should include 'vol-12345678' }
end
##### Use the InSpec resource to request the IDs of all EBS volumes, then test in-depth using `aws_ebs_volume` to ensure all volumes are encrypted and have a sensible size.
aws_ebs_volumes.volume_ids.each do |volume_id|
describe aws_ebs_volume(volume_id) do
it { should be_encrypted }
its('size') { should be > 10 }
its('iops') { should cmp 100 }
end
end
## Matchers
For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_ebs_volumes do
it { should exist }
end
describe aws_ebs_volumes do
it { should_not exist }
end
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeVolumes`, and `iam:GetInstanceProfile` actions set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

163
docs-chef-io/content/inspec/resources/aws_ec2_instance.md
View file

@ -1,163 +0,0 @@
+++
title = "aws_ec2_instance resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ec2_instance"
identifier = "inspec/resources/aws/aws_ec2_instance.md aws_ec2_instance resource"
parent = "inspec/resources/aws"
+++
Use the `aws_ec2_instance` InSpec audit resource to test properties of a single AWS EC2 instance.
## Syntax
An `aws_ec2_instance` resource block declares the tests for a single AWS EC2 instance by either name or instance id.
describe aws_ec2_instance('i-01a2349e94458a507') do
it { should exist }
end
describe aws_ec2_instance(name: 'my-instance') do
it { should exist }
end
## Parameters
One of either the EC2 instance's ID or name must be be provided.
### instance_id _(required if `name` not provided)_
The ID of the EC2 instance. This is in the format of `i-` followed by 8 or 17 hexadecimal characters.
This can be passed either as a string or as an `instance_id: 'value'` key-value entry in a hash.
### name _(required if `instance_id` not provided)_
If you have a `Name` tag applied to the EC2 instance, this can be used to lookup the instance.
This must be passed as a `name: 'value'` key-value entry in a hash.
## Properties
| Property | Description |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| state | The current state of the EC2 Instance, for example 'running'. |
| image_id | The id of the AMI used to launch the instance. |
| role | The IAM role attached to the instance. |
| launch_time | The time the instance was launched. |
| availability_zone | The availability zone of the instance. |
| security_groups | A hash containing the security group ids and names associated with the instance. |
| security_group_ids | The security group ids associated with the instance. |
| ebs_volumes | A hash containing the names and ids of any EBS volumes associated with the instance. |
| tags | A list of hashes with each key-value pair corresponding to an EC2 instance tag, e.g, `[{:key=>"Name", :value=>"Testing Box"}, {:key=>"Environment", :value=>"Dev"}]` |
| tags_hash | A hash, with each key-value pair corresponding to an EC2 instance tag, e.g, `{"Name"=>"Testing Box", "Environment"=>"Dev"}`. This property is available in InSpec AWS resource pack version **[1.12.0](https://github.com/inspec/inspec-aws/releases/tag/v1.12.0)** onwards. |
There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Instance.html)
## Examples
### Test that an EC2 instance is running
describe aws_ec2_instance(name: 'prod-database') do
it { should be_running }
end
### Test that an EC2 instance is using the correct AMI
describe aws_ec2_instance(name: 'my-instance') do
its('image_id') { should eq 'ami-27a58d5c' }
end
### Test that an EC2 instance has the correct tag
describe aws_ec2_instance('i-090c29e4f4c165b74') do
its('tags') { should include(key: 'Contact', value: 'Gilfoyle') }
end
### Test that an EC2 instance has the correct tag (using the `tags_hash` property)
describe aws_ec2_instance('i-090c29e4f4c165b74') do
its('tags_hash') { should include('Contact' => 'Gilfoyle') }
its('tags_hash') { should include('Contact') } # Regardless of the value
end
### Test that an EC2 instance has no roles
describe aws_ec2_instance('i-090c29e4f4c165b74') do
it { should_not have_roles }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of
available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
it { should exist }
it { should_not exist }
### has_roles
Test if the EC2 instance has any roles associated with it.
Use `should_not` to test the entity does not have roles.
it { should have_roles }
it { should_not have_roles }
### be_pending
The `be_pending` matcher tests if the described EC2 instance state is `pending`. This indicates that an instance is provisioning. This state should be temporary.
it { should be_pending }
### be_running
The `be_running` matcher tests if the described EC2 instance state is `running`. This indicates the instance is fully operational from AWS's perspective.
it { should be_running }
### be_shutting_down
The `be_shutting_down` matcher tests if the described EC2 instance state is `shutting-down`. This indicates the instance has received a termination command and is in the process of being permanently halted and de-provisioned. This state should be temporary.
it { should be_shutting_down }
### be_stopped
The `be_stopped` matcher tests if the described EC2 instance state is `stopped`. This indicates that the instance is suspended and may be started again.
it { should be_stopped }
### be_stopping
The `be_stopping` matcher tests if the described EC2 instance state is `stopping`. This indicates that an AWS stop command has been issued, which will suspend the instance in an OS-unaware manner. This state should be temporary.
it { should be_stopping }
### be_terminated
The `be_terminated` matcher tests if the described EC2 instance state is `terminated`. This indicates the instance is permanently halted and will be removed from the instance listing in a short period. This state should be temporary.
it { should be_terminated }
### be_unknown
The `be_unknown` matcher tests if the described EC2 instance state is `unknown`. This indicates an error condition in the AWS management system. This state should be temporary.
it { should be_unknown }
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ec2:DescribeInstances`, and `iam:GetInstanceProfile` actions set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

111
docs-chef-io/content/inspec/resources/aws_ec2_instances.md
View file

@ -1,111 +0,0 @@
+++
title = "aws_ec2_instances resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ec2_instances"
identifier = "inspec/resources/aws/aws_ec2_instances.md aws_ec2_instances resource"
parent = "inspec/resources/aws"
+++
Use the `aws_ec2_instances` InSpec audit resource to test properties of some or all AWS EC2 instances. To audit a single EC2 instance, use `aws_ec2_instance` (singular).
## Syntax
An `aws_ec2_instances` resource block collects a group of EC2 Instances and then tests that group.
describe aws_ec2_instances
it { should exist }
end
## Parameters
This resource does not expect any parameters.
## Properties
| Property | Description |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| instance_ids | The ID of the EC2 instance. The field name is `instance_id`. |
| names | The value of the `Name` tag if applied to the instance. The filed name is `name`. |
| vpc_ids | The VPC with which the EC2 instance is associated. The field name is `vpc_id`. |
| subnet_ids | The subnet with which the EC2 instance is associated. The field name is `subnet_id`. |
| instance_types | The type of instance, for example m5.large. The field name is `instance_type`. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
| tags | A hash, with each key-value pair corresponding to an EC2 instance tag, e.g, `{"Name"=>"Testing Box", "Environment"=>"Dev"}`. This property is available in InSpec AWS resource pack version **[1.12.0](https://github.com/inspec/inspec-aws/releases/tag/v1.12.0)** onwards. The field name is `tags`. |
| iam_profiles | The IAM instance profile associated with the instance. The `role` property of the `aws_ec2_instance` singular resource can be used to check the attached IAM role on the profile. The field name is `iam_profile`. |
## Examples
### Ensure you have exactly 3 instances
describe aws_ec2_instances do
its('instance_ids.count') { should cmp 3 }
end
### Use this InSpec resource to request the IDs of all EC2 instances, then test in-depth using `aws_ec2_instance`.
aws_ec2_instances.instance_ids.each do |instance_id|
describe aws_ec2_instance(instance_id) do
it { should_not have_roles }
its('key_name') { should cmp 'admin-ssh-key' }
its('image_id') { should eq 'ami-27a58d5c' }
end
end
### Filter EC2 instances with their `Environment` tags<superscript>\*</superscript> equal to `Dev`, then test in-depth using `aws_ec2_instance`.
aws_ec2_instances.where(tags: {"Environment" => "Dev"}).instance_ids.each do |id|
describe aws_ec2_instance(id) do
it { should be_stopped }
end
end
<superscript>\*</superscript>Note that the filter won't return the EC2 instances with multiple tags. In this case use regex: `/{"Environment"=>"Dev"}/`
### Filter EC2 instances with a `stop-at-10-pm` tag regardless of its value, then test in-depth using `aws_ec2_instance`.
aws_ec2_instances.where(tags: /"stop-at-10-pm"=>/).instance_ids.each do |id|
describe aws_ec2_instance(id) do
it { should be_stopped }
end
end
### Filter EC2 instances with their `name` equal to `Test Box`, then check their role using `aws_ec2_instance`.
aws_ec2_instances.where(name: "Test Box").instance_ids.each do |id|
describe aws_ec2_instance(id) do
its('role) { should eq "test-role" }
end
end
## Matchers
For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
The field names described in the [properties table](#properties) should be used for the `<property>` in the `where` clause.
Use `should_not` to test the entity should not exist.
describe aws_ec2_instances.where( <property>: <value>) do
it { should exist }
end
describe aws_ec2_instances.where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `ec2:DescribeInstances`, and `iam:GetInstanceProfile` actions set to allow.
You can find detailed documentation at
[Actions, Resources, and Condition Keys for Amazon EC2](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonec2.html),
and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

90
docs-chef-io/content/inspec/resources/aws_ecr.md
View file

@ -1,90 +0,0 @@
+++
title = "aws_ecr resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ecr"
identifier = "inspec/resources/aws/aws_ecr.md aws_ecr resource"
parent = "inspec/resources/aws"
+++
{{< warning >}}
This resource is deprecated. Please use one of the following resources instead.
- `aws_ecr_image`
- `aws_ecr_images`
- `aws_ecr_repository`
- `aws_ecr_repositories`
{{< /warning >}}
Use the `aws_ecr` InSpec audit resource to test properties of a single AWS Elastic Container Registry.
## Syntax
An `aws_ecr` resource block declares the tests for a single AWS ECR by repository name.
describe aws_ecr(repository_name: aws_ecr_name) do
it { should exist }
its ('repository_name') { should eq aws_ecr_name }
end
## Parameters
The ECR repository_name must be provided.
### repository*name *(required)\_
The name of the repository
This can be passed either as a string or as an `repository_name: 'value'` key-value entry in a hash.
## Properties
| Property | Description |
| ------------------- | ------------------------------------------------------------------------------ |
| registry_id | The AWS account ID associated with the registry |
| repository_arn | The Amazon Resource Name of the repository |
| repository_name | The name of the repository |
| repository_uri | The uri of the repository |
| image_tags | The tags associated with the image |
| image_digest | A sha256 hash of the image |
| image_size_in_bytes | The size of the image in bytes. |
| image_pushed_at | The datetime as a string when the image was uploaded. 'yyyy-mm-dd hh:mm:ss tz' |
| image_uploaded_date | The date as a string when the image was uploaded. 'yyyy-mm-dd' |
## Examples
### Test that an ECR has the correct image properties
describe aws_ecr(repository_name: aws_ecr_name).images do
its ('image_tags') { should include 'latest'}
its ('image_digest') { should eq 'sha256:6dce4a9c1635c4c9b6a2b645e6613fa0238182fe13929808ee2258370d0f3497'}
its ('image_size_in_bytes') { should eq 764234}
its ('image_uploaded_date') { should eq '2019-06-11'}
its ('image_pushed_at') { should eq '2019-06-11 15:08:29 +0100'}
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
it { should exist }
it { should_not exist }
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ecr:DescribeRepositories` and `ecr:DescribeImages` actions set to allow.
You can find detailed documentation at
[Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticcontainerregistry.html),
and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

105
docs-chef-io/content/inspec/resources/aws_ecr_image.md
View file

@ -1,105 +0,0 @@
+++
title = "aws_ecr_image resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ecr_image"
identifier = "inspec/resources/aws/aws_ecr_image"
parent = "inspec/resources/aws"
+++
Use the `aws_ecr_image` InSpec audit resource to test the properties of a single image in an AWS Elastic Container Registry (ECR) repository.
This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards.
## Syntax
An `aws_ecr_image` resource block declares the tests for a single image in an AWS ECR repository by repository name and image identifier.
describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
it { should exist }
end
## Parameters
The repository name and the image identifier (either `image_tag` or `image_digest`) must be provided. The ID of the registry is optional.
### repository_name _(required)_
The name of the ECR repository must satisfy the following constraints:
- Regex pattern `(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*`.
- Minimum 2 and maximum of 256 characters long.
### image_tag _(required if `image_digest` not provided)_
The tag used for the image. It can not be longer than 300 characters.
### image_digest _(required if `image_tag` not provided)_
The `sha256` digest of the image manifest. It must satisfy this regex pattern: `[a-zA-Z0-9-_+.]+:[a-fA-F0-9]+`.
### registry_id _(optional)_
The 12-digit ID of the AWS Elastic Container Registry. If not provided, the [default](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeRepositories.html) registry is assumed.
## Properties
| Property | Description |
| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| repository_name | The name of the repository. |
| registry_id | The AWS account ID associated with the registry that contains the repository. |
| tags | The list of tags associated with this image. |
| vulnerability_severity_counts | The image vulnerability counts, sorted by severity, e.g. `{:high=>1}`. |
| vulnerabilities | A list of hashes with each key-value pair corresponding to an image [scan findings](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageScanFinding.html). E.g. `{:name=>"CVE-2019-14697", :uri=>"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697", :severity=>"HIGH", :package_version=>"1.1.18-r3", :package_name=>"musl", :CVSS2_VECTOR=>"AV:N/AC:L/Au:N/C:P/I:P/A:P", :CVSS2_SCORE=>"7.5"}` |
| cve_ids | The list of [CVE IDs](https://cve.mitre.org/cve/identifiers/) of the vulnerabilities in the image. |
| highest_vulnerability_severity | The [CVSS v2](https://www.first.org/cvss/v2/guide) score of the most severe vulnerability in the image. |
There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageDetail.html)
## Examples
### Test the scan status of an image
describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
its('image_scan_status.status') { should eq 'COMPLETE' }
end
### Test that an image has a certain tag
describe aws_ecr_image(repository_name: 'my-repo', image_digest: 'sha256:687fba9b76554c8dea4c40fed4144011f29b8e1d5db5f2fc976c64ed31894967') do
its('tags') { should include('latest') }
end
### Test that an image does not contain the [Heartbleed](https://heartbleed.com/) vulnerability
describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
its('cve_ids') { should_not include('CVE-2014-0160') }
end
### Test that an image does not contain a vulnerability more severe than CVSS v2 score 8
describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
its('highest_vulnerability_severity') { should be <= 8 }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
describe aws_ecr_image(repository_name: 'my-repo', image_tag: 'latest') do
it { should exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `ecr:DescribeImages` and `ecr:DescribeImageScanFindings` actions set to allow.
You can find detailed documentation at
[Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html),
and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

89
docs-chef-io/content/inspec/resources/aws_ecr_images.md
View file

@ -1,89 +0,0 @@
+++
title = "aws_ecr_images resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ecr_images"
identifier = "inspec/resources/aws/aws_ecr_images.md aws_ecr_images"
parent = "inspec/resources/aws"
+++
Use the `aws_ecr_images` InSpec audit resource to test the properties of all images in an AWS Elastic Container Registry (ECR) repository.
This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards.
## Syntax
An `aws_ecr_images` resource block declares the tests for all images in an AWS ECR repository by the repository name.
describe aws_ecr_images(repository_name: 'my-repo') do
it { should exist }
end
## Parameters
The repository name must be provided. The ID of the registry is optional.
### repository_name _(required)_
The name of the ECR repository must satisfy the following constraints:
- Regex pattern `(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*`.
- Minimum 2 and maximum of 256 characters long.
### registry_id _(optional)_
The 12-digit ID of the AWS Elastic Container Registry. If not provided, the [default](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeRepositories.html) registry is assumed.
## Properties
| Property | Description |
| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| digests | The sha256 digest of the image manifest. The field name is `digest`. |
| size_in_bytes | The size, in bytes, of the image in the repository. |
| tags | The list of tags associated with an image. The field name is `tags`. |
| vulnerability_severity_counts | The image vulnerability counts, sorted by severity. |
| vulnerability_scan_status | The current state of the scan. It returns an [image scan status object](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_ImageScanStatus.html). |
| pushed_at_dates | The date and time at which an image was pushed to the repository. The field name is `pushed_at_date`. |
## Examples
### Ensure that there are exactly 3 images
describe aws_ecr_images(repository_name: 'my-repo') do
its('count') { should cmp 3 }
end
### Use this InSpec resource to request the digests of all images, then test in-depth using `aws_ecr_image`.
aws_ecr_images(repository_name: 'my-repo').digests.each do |image_digest|
describe aws_ecr_image(repository_name: 'my-repo', image_digest: image_digest) do
its('tags') { should include('latest') }
end
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_ecr_images(repository_name: 'my-repo').where( <property>: <value>) do
it { should exist }
end
describe aws_ecr_images(repository_name: 'my-repo').where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ecr:DescribeImages` action set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

88
docs-chef-io/content/inspec/resources/aws_ecr_repositories.md
View file

@ -1,88 +0,0 @@
+++
title = "aws_ecr_repositories resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ecr_repositories"
identifier = "inspec/resources/aws/aws_ecr_repositories.md aws_ecr_repositories"
parent = "inspec/resources/aws"
+++
Use the `aws_ecr_repositories` InSpec audit resource to test the properties of all repositories in an AWS Elastic Container Registry (ECR).
This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards.
## Syntax
An `aws_ecr_repositories` resource block declares the tests for all AWS ECR repositories in the default registry unless the registry ID is provided.
describe aws_ecr_repositories do
it { should exist }
end
Repositories in a non-default registry can be tested by supplying the registry ID if the AWS user has necessary permissions on it.
describe aws_ecr_repositories(registry_id: '123456789012') do
it { should exist }
end
## Parameters
The registry id is optional.
### registry_id _(optional)_
The 12-digit ID of the AWS Elastic Container Registry. If not provided, the [default](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeRepositories.html) registry is assumed.
## Properties
| Property | Description |
| ----------------------------- | ------------------------------------------------------------------------------------------ |
| arns | The Amazon Resource Name (ARN) that identifies the repository. |
| names | The name of the repository. |
| uris | The URI for the repository. |
| created_at_dates | The date and time, in JavaScript date format, when the repository was created. |
| image_tag_mutability_status | The tag mutability setting for the repository. |
| image_scanning_on_push_status | The setting that determines whether images are scanned after being pushed to a repository. |
## Examples
### Ensure that there are exactly 3 repositories in the default registry
describe aws_ecr_repositories do
its("count") { should cmp 3 }
end
### Use this InSpec resource to request the names of all repositories, then test in-depth using `aws_ecr_repository`.
aws_ecr_repositories.names.each do |repository_name|
describe aws_ecr_repository(repository_name) do
its('image_tag_mutability') { should eq 'MUTABLE' }
end
end
## Matchers
For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_ecr_repositories.where( <property>: <value>) do
it { should exist }
end
describe aws_ecr_repositories.where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ecr:DescribeRepositories` action set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

95
docs-chef-io/content/inspec/resources/aws_ecr_repository.md
View file

@ -1,95 +0,0 @@
+++
title = "aws_ecr_repository resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ecr_repository"
identifier = "inspec/resources/aws/aws_ecr_repository.md aws_ecr_repository"
parent = "inspec/resources/aws"
+++
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_ecr_repository.md)
Use the `aws_ecr_repository` InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository.
This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards.
## Syntax
An `aws_ecr_repository` resource block declares the tests for a single AWS ECR repository by repository name.
describe aws_ecr_repository(repository_name: 'my-repo') do
it { should exist }
end
The value of the `repository_name` can be provided as a string.
describe aws_ecr_repository('my-repo') do
it { should exist }
end
## Parameters
The repository name must be provided. The registry id is optional.
### repository_name _(required)_
The name of the ECR repository must satisfy the following constraints:
- Regex pattern `(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*`.
- Minimum 2 and maximum of 256 characters long.
This can be passed either as a string or as a `repository_name: 'value'` key-value entry in a hash.
### registry_id _(optional)_
The 12-digit ID of the AWS Elastic Container Registry. If not provided, the [default](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_DescribeRepositories.html) registry is assumed.
## Properties
| Property | Description |
| -------------------- | ------------------------------------------------------------------------------------------ |
| repository_name | The name of the repository. |
| image_tag_mutability | The tag mutability settings for the repository. Valid values are `MUTABLE` or `IMMUTABLE`. |
| registry_id | The AWS account ID associated with the registry that contains the repository. |
| tags | An hash with each key-value pair corresponding to a tag associated with the entity. |
There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Repository.html)
## Examples
### Test that image tags are `IMMUTABLE` in an ECR repository
describe aws_ecr_repository('my-repo') do
its('image_tag_mutability') { should eq 'IMMUTABLE' }
end
### Test that images are scanned for vulnerabilities at a push to repository
describe aws_ecr_repository(repository_name: 'my-repo') do
its('image_scanning_configuration.scan_on_push') { should eq true}
end
### Test that an ECR repository has a certain tag
describe aws_ecr_repository('my-repo') do
its('tags') { should include('environment' => 'dev') }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
describe aws_ecr_repository(repository_name: 'my-repo') do
it { should exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ecr:DescribeRepositories` action set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

83
docs-chef-io/content/inspec/resources/aws_ecs_cluster.md
View file

@ -1,83 +0,0 @@
+++
title = "aws_ecs_cluster resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ecs_cluster"
identifier = "inspec/resources/aws/aws_ecs_cluster.md aws_ecs_cluster resource"
parent = "inspec/resources/aws"
+++
Use the `aws_ecs_cluster` InSpec audit resource to test properties of a single AWS ECS Cluster.
## Syntax
An `aws_ecs_cluster` resource block declares the tests for a single AWS ECS Cluster by cluster name.
describe aws_ecs_cluser(cluster_name: 'cluster-8') do
it { should exist }
end
## Parameters
If no parameters are passed, the resource will attempt to retrieve the `default` ECS Cluster.
### cluster_name _(optional)_
This resource accepts a single parameter, the Cluster Name.
This can be passed either as a string or as a `cluster_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on ECS Clusters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_clusters.html).
## Properties
| Property | Description |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ |
| cluster_arn | The Amazon Resource Name (ARN) that identifies the cluster. |
| cluster_name | A user-generated string that you use to identify your cluster. |
| status | The status of the cluster. |
| running_tasks_count | The number of tasks in the cluster that are in the RUNNING state. |
| pending_tasks_count | The number of tasks in the cluster that are in the PENDING state. |
| active_services_count | The number of services that are running on the cluster in an ACTIVE state. |
| registered_container_instances_count | The number of container instances registered into the cluster. This includes container instances in both ACTIVE and DRAINING status. |
| statistics | Additional information about your clusters that are separated by launch type. |
## Examples
### Test that an ECS Cluster does not exist
describe aws_ecs_cluster(cluster_name: 'invalid-cluster') do
it { should_not exist }
end
### Test that an ECS Cluster is active
describe aws_ecs_cluster('cluster-8') do
its ('status') { should eq 'ACTIVE' }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_ecs_cluster('cluster-8') do
it { should exist }
end
describe aws_ecs_cluster('cluster-9') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `ec2:DescribeClusters` action set to allow.

74
docs-chef-io/content/inspec/resources/aws_ecs_clusters.md
View file

@ -1,74 +0,0 @@
+++
title = "aws_ecs_clusters resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_ecs_clusters"
identifier = "inspec/resources/aws/aws_ecs_clusters.md aws_ecs_clusters resource"
parent = "inspec/resources/aws"
+++
Use the `aws_ecs_clusters` InSpec audit resource to test properties of some or all AWS ECS Clusters.
## Syntax
An `aws_ecs_clusters` resource block returns all ECS Clusters and allows the testing of that group of Clusters.
describe aws_ecs_clusters do
its('cluster_names') { should include 'cluster-root' }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on ECS Clusters](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_clusters.html).
## Properties
| Property | Description |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ |
| cluster_arn | The Amazon Resource Name (ARN) that identifies the cluster. |
| cluster_name | A user-generated string that you use to identify your cluster. |
| status | The status of the cluster. |
| running_tasks_count | The number of tasks in the cluster that are in the RUNNING state. |
| pending_tasks_count | The number of tasks in the cluster that are in the PENDING state. |
| active_services_count | The number of services that are running on the cluster in an ACTIVE state. |
| registered_container_instances_count | The number of container instances registered into the cluster. This includes container instances in both ACTIVE and DRAINING status. |
| statistics | Additional information about your clusters that are separated by launch type. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
## Examples
### Ensure there are no Clusters in an undesired state.
describe aws_ecs_clusters do
it { should exist }
its('statuses') { should_not include 'UNDESIRED-STATUS'}
its('cluster_names') { should include 'SQL-cluster' }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_ecs_clusters.where( <property>: <value>) do
it { should exist }
end
describe aws_ecs_clusters.where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `ecs:ListClusters` & `ecs:DescribeClusters` action set to allow.

110
docs-chef-io/content/inspec/resources/aws_efs_file_system.md
View file

@ -1,110 +0,0 @@
+++
title = "aws_efs_file_system resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_efs_file_system"
identifier = "inspec/resources/aws/aws_efs_file_system.md aws_efs_file_system"
parent = "inspec/resources/aws"
+++
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/inspec/rources/aws_efs_file_system.md)
Use the `aws_efs_file_system` InSpec audit resource to test the properties of a single AWS EFS file system.
This resource is added to InSpec AWS resource pack in version **[1.10.0](https://github.com/inspec/inspec-aws/releases/tag/v1.10.0)** and it is available with InSpec **[4.18.108](https://github.com/inspec/inspec/releases/tag/v4.18.108)** and later versions.
## Syntax
An `aws_efs_file_system` resource block declares the tests for a single AWS EFS file system by either file system id or creation token.
describe aws_efs_file_system(file_system_id: 'fs-12345678') do
it { should be_encrypted }
its('size_in_bytes.value') { should cmp 6144 }
end
describe aws_efs_file_system(creation_token: 'my-token') do
its('encrypted') { should cmp true }
its('throughput_mode') { should eq 'bursting' }
end
The value of the `file_system_id` can be provided as a string.
describe aws_efs_file_system('fs-12345678') do
it { should exist }
end
## Parameters
Either the EFS file system id or creation token must be provided.
### file_system_id _(required if `creation_token` not provided)_
The ID of the EFS file system. This is in the format of `fs-` followed by 8 or 17 hexadecimal characters.
This can be passed either as a string or as a `file_system_id: 'value'` key-value entry in a hash.
### creation*token *(required if `file_system_id` not provided)\_
The creation token is automatically assigned by AWS if not provided by the user at creation.
This is a string with minimum 1 and maximum 64-character long.
This must be passed as a `creation_token: 'value'` key-value entry in a hash.
## Properties
| Property | Description |
| ---------------- | ----------------------------------------------------------------------------------- |
| creation_token | The value of the creation token. |
| file_system_id | The id of the file system which is auto-assigned by the AWS. |
| encrypted | Indicates whether the file system is encrypted or not. |
| life_cycle_state | The lifecycle phase of the file system, e.g. 'creating'. |
| owner_id | The AWS account that created the file system. |
| performance_mode | The performance mode of the file system, e.g. 'maxIO'. |
| throughput_mode | The throughput mode for a file system, e.g. 'bursting'. |
| tags | An hash with each key-value pair corresponding to a tag associated with the entity. |
There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/efs/latest/ug/API_FileSystemDescription.html)
## Examples
### Test that an EFS file system is available
describe aws_efs_file_system("fs-12345678") do
its("life_cycle_state") { should eq 'available' }
end
### Test that an EFS file system is in 'maxIO' performance mode
describe aws_efs_file_system(creation_token: "My Token") do
its("performance_mode") { should eq "maxIO" }
end
### Test that an EFS file system has a certain tag
describe aws_efs_file_system(creation_token: "My Token") do
its("tags") { should include("companyName" => "My Company") }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list
of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
describe aws_efs_file_system(file_system_id: "fs-12345678") do
it { should exist }
end
### be_encrypted
describe aws_efs_file_system(creation_token: "My Token") do
it { should be_encrypted }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `elasticfilesystem:DescribeFileSystems` action set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EFS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticfilesystem.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

91
docs-chef-io/content/inspec/resources/aws_efs_file_systems.md
View file

@ -1,91 +0,0 @@
+++
title = "aws_efs_file_systems resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_efs_file_systems"
identifier = "inspec/resources/aws/aws_efs_file_systems.md aws_efs_file_systems"
parent = "inspec/resources/aws"
+++
Use the `aws_efs_file_systems` InSpec audit resource to test the properties of
some or all AWS EFS file systems. To audit a single EFS file system, use
`aws_efs_file_ststem` (singular).
This resource is added to InSpec AWS resource pack in version **[1.10.0](https://github.com/inspec/inspec-aws/releases/tag/v1.10.0)** and it is available with InSpec **[4.18.108](https://github.com/inspec/inspec/releases/tag/v4.18.108)** and later versions.
## Syntax
An `aws_efs_file_systems` resource block collects a group of EFS file system descriptions and then tests that group.
describe aws_efs_file_systems
it { should exist }
end
## Parameters
This resource does not expect any parameters.
## Properties
| Property | Description |
| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| tags | The list of tags that the EFS file system has. |
| names | The value of the `Name` (case sensitive) tag if it is defined. |
| file_system_ids | The ID of the EFS file system. |
| creation_tokens | The creation token that the EFS file system is associated. |
| owner_ids | The owner id of the EFS file system. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
| creation_times | The creation time of the EFS file system |
| performance_modes | The performance mode of the EFS file system, e.g. 'maxIO'. |
| encryption_status | This indicates whether the EFS file system is encrypted or not. |
| throughput_modes | The throughput mode of the EFS file system. |
| kms_key_ids | The ID of an AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the encrypted EFS file system. |
| size_in_bytes | The latest known metered size (in bytes) of data stored in the file system, in its `value` field. |
| life_cycle_states | The life cycle phase of the EFS file system, e.g. 'deleting'. |
## Examples
### Ensure you have exactly 3 file systems
describe aws_efs_file_systems do
its("entries.count") { should cmp 3 }
end
### Use this InSpec resource to request the IDs of all EFS file systems, then test in-depth using `aws_efs_file_system`.
aws_efs_file_systems.file_system_ids.each do |file_system_id|
describe aws_efs_file_system(file_system_id) do
its("tags") { should include("companyName" => "My Company Name") }
it { should be_encrypted }
its("throughput_mode") { should eq "bursting" }
its("performance_mode") { should eq "generalPurpose" }
end
end
## Matchers
For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_efs_file_systems.where( <property>: <value>) do
it { should exist }
end
describe aws_efs_file_systems.where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `elasticfilesystem:DescribeFileSystems` action set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon EFS](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticfilesystem.html), and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

122
docs-chef-io/content/inspec/resources/aws_eks_cluster.md
View file

@ -1,122 +0,0 @@
+++
title = "aws_eks_cluster resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_eks_cluster"
identifier = "inspec/resources/aws/aws_eks_cluster.md aws_eks_cluster resource"
parent = "inspec/resources/aws"
+++
Use the `aws_eks_cluster` InSpec audit resource to test properties of a single AWS Elastic Container Service for Kubernetes.
## Syntax
An `aws_eks_cluster` resource block declares the tests for a single EKS Cluster by Cluster name.
describe aws_eks_cluster('my-eks') do
it { should exist }
end
describe aws_eks_cluster(cluster_name: 'my-eks') do
it { should exist }
end
## Parameters
### cluster_name _(required)_
This resource requires a single parameter, the EKS Cluster Name.
This can be passed either as a string or as a `cluster_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on EKS Clusters](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html).
## Properties
| Property | Description |
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| arn | The Amazon Resource Name (ARN) of the cluster. |
| name | The name of the cluster. |
| endpoint | The endpoint for your Kubernetes API server. |
| status | The current status of the cluster. |
| version | The Kubernetes server version for the cluster. |
| certificate_authority | The certificate-authority-data for your cluster. |
| subnets_count | The number of subnets associated with your cluster. |
| subnet_ids | The subnets associated with your cluster. |
| security_groups_count | The count of security groups associated with your cluster. |
| security_group_ids | The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your worker nodes and the Kubernetes control plane. |
| role_arn | The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. |
| vpc_id | The VPC associated with your cluster. |
| created_at | The Unix epoch timestamp in seconds for when the cluster was created. |
| creating | Boolean indicating whether or not the state of the cluster is CREATING. |
| active | Boolean indicating whether or not the state of the cluster is ACTIVE. |
| failed | Boolean indicating whether or not the state of the cluster is FAILED. |
| deleting | Boolean indicating whether or not the state of the cluster is DELETING. |
| tags | Cluster tags |
## Examples
### Test that an EKS Cluster has at least 2 subnets
describe aws_eks_cluster('my-cluster') do
its('subnets_count') { should be > 1 }
end
### Ensure a Cluster has the correct status.
describe aws_eks_cluster(cluster_name: 'my-eks') do
its('status') { should eq 'ACTIVE' }
end
### Ensure that the EKS Cluster is on the correct VPC
describe aws_eks_cluster('my-cluster') do
its('vpc_id') { should eq 'vpc-12345678' }
end
### Ensure the EKS Cluster is using the correct IAM Role.
describe aws_eks_cluster('my-cluster') do
its('role_arn') { should cmp 'rn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI' }
end
### Integrate with other resources
Use a combination of InSpec AWS resources to ensure your EKS Cluster does not use the Default VPC.
# Find the default Security Group for our VPC
cluster_vpc = aws_eks_cluster(cluster_name: 'my-cluster').vpc_id
default_sg = aws_security_group(group_name: 'default', vpc_id: cluster_vpc)
# Ensure we are not using the default Security Group
describe aws_eks_cluster(cluster_name: 'my-cluster') do
its('security_group_ids') { should_not include default_security_group.group_id }
end
## Matchers
This InSpec audit resource has no special matchers. For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_eks_cluster('AnExistingCluster') do
it { should exist }
end
describe aws_eks_cluster('ANonExistentCluster') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `eks:DescribeCluster` action set to Allow.
You can find detailed documentation at [Amazon EKS IAM Policies, Roles, and Permissions](https://docs.aws.amazon.com/eks/latest/userguide/IAM_policies.html)
The documentation for EKS actions is at [Policy Structure](https://docs.aws.amazon.com/eks/latest/userguide/iam-policy-structure.html#UsingWithEKS_Actions)

95
docs-chef-io/content/inspec/resources/aws_eks_clusters.md
View file

@ -1,95 +0,0 @@
+++
title = "aws_eks_clusters resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_eks_clusters"
identifier = "inspec/resources/aws/aws_eks_clusters.md aws_eks_clusters resource"
parent = "inspec/resources/aws"
+++
Use the `aws_eks_clusters` resource to test the configuration of a collection of AWS Elastic Container Service for Kubernetes.
## Syntax
describe aws_eks_clusters do
its('names.count') { should cmp 10 }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on EKS Clusters](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html).
## Properties
| Property | Description |
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| arn | The Amazon Resource Name (ARN) of the cluster. |
| name | The name of the cluster. |
| endpoint | The endpoint for your Kubernetes API server. |
| status | The current status of the cluster. |
| version | The Kubernetes server version for the cluster. |
| certificate_authority | The certificate-authority-data for your cluster. |
| subnets_count | The number of subnets associated with your cluster. |
| subnet_ids | The subnets associated with your cluster. |
| security_groups_count | The count of security groups associated with your cluster. |
| security_group_ids | The security groups associated with the cross-account elastic network interfaces that are used to allow communication between your worker nodes and the Kubernetes control plane. |
| role_arn | The Amazon Resource Name (ARN) of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. |
| vpc_id | The VPC associated with your cluster. |
| created_at | The Unix epoch timestamp in seconds for when the cluster was created. |
| creating | Boolean indicating whether or not the state of the cluster is CREATING. |
| active | Boolean indicating whether or not the state of the cluster is ACTIVE. |
| failed | Boolean indicating whether or not the state of the cluster is FAILED. |
| deleting | Boolean indicating whether or not the state of the cluster is DELETING. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
## Examples
### Allow at most 100 EKS Clusters on the account
describe aws_eks_clusters do
its('entries.count') { should be <= 100}
end
### Ensure a specific Cluster exists, by name
describe aws_eks_clusters do
its('names') { should include('cluster-1') }
end
### Ensure no Clusters are in a failed state
describe aws_eks_clusters.where( failed: true ) do
it { should_not exist )
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list
of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_eks_clusters.where( <property>: <value>) do
it { should exist }
end
describe aws_eks_clusters.where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `eks:DescribeCluster` action with Effect set to Allow.
You can find detailed documentation at [Amazon EKS IAM Policies, Roles, and Permissions](https://docs.aws.amazon.com/eks/latest/userguide/IAM_policies.html)
The documentation for EKS actions is at [Policy Structure](https://docs.aws.amazon.com/eks/latest/userguide/iam-policy-structure.html#UsingWithEKS_Actions)

102
docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md
View file

@ -1,102 +0,0 @@
+++
title = "aws_elasticache_cluster resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_elasticache_cluster"
identifier = "inspec/resources/aws/aws_elasticache_cluster.md aws_elasticache_cluster"
parent = "inspec/resources/aws"
+++
[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_elasticache_cluster.md)
Use the `aws_elasticache_cluster` InSpec audit resource to test the properties of a single AWS ElastiCache cluster.
## Syntax
An `aws_elasticache_cluster` resource block declares the tests for a single AWS ElastiCache cluster by `cache_cluster_id`.
describe aws_elasticache_cluster(cache_cluster_id: 'my-cluster-123') do
it { should exist }
end
The value of the `cache_cluster_id` can be provided as a string.
describe aws_elasticache_cluster('my-cluster-123') do
its('engine') { should cmp 'redis' }
end
## Parameters
The ElastiCache cluster ID must be provided.
### cache_cluster_id _(required)_
The ID of the ElastiCache cluster:
- contains between 1 and 50 alphanumeric characters or hyphens,
- should start with a letter,
- cannot end with a hyphen or contain two consecutive hyphens.
It can be passed either as a string or as a `cache_cluster_id: 'value'` key-value entry in a hash.
## Properties
| Property | Description |
| -------------------- | ------------------------------------------------------------------------------------------------------- |
| cache_cluster_id | The user-supplied identifier of the cluster. This identifier is a unique key that identifies a cluster. |
| engine | The name of the cache engine, e.g. `redis`. |
| node_ids | The id list of all cluster nodes. |
| ports | A hash of the node ID and port number pairs. |
| status | The current state of the cluster, e.g. `creating`, `available`. |
| encrypted_at_rest | Indicates whether the content is encrypted at rest or not. |
| encrypted_at_transit | Indicates whether the content is encrypted at transit or not. |
There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CacheCluster.html).
## Examples
### Test that an ElastiCache cluster is available
describe aws_elasticache_cluster("my-cluster-123") do
its("status") { should eq 'available' }
end
### Test that an Elasticache cluster engine is listening on port `11211`
describe aws_elasticache_cluster(cache_cluster_id: "my-cluster-123") do
its("port") { should cmp 11211 }
end
### Test that an Elasticache cluster's engine version is `1.5.16`
describe aws_elasticache_cluster(cache_cluster_id: "my-cluster-123") do
its("engine_version") { should cmp 1.5.16 }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
describe aws_elasticache_cluster(cache_cluster_id: "my-cluster-123") do
it { should exist }
end
### be_encrypted_at_rest
describe aws_elasticache_cluster(cache_cluster_id: "my-cluster-123") do
it { should be_encrypted_at_rest }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `elasticache:DescribeCacheClusters` action set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html),
and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

89
docs-chef-io/content/inspec/resources/aws_elasticache_cluster_node.md
View file

@ -1,89 +0,0 @@
+++
title = "aws_elasticache_cluster_node resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_elasticache_cluster_node"
identifier = "inspec/resources/aws/aws_elasticache_cluster_node.md aws_elasticache_cluster_node"
parent = "inspec/resources/aws"
+++
Use the `aws_elasticache_cluster_node` InSpec audit resource to test the properties of a single AWS ElastiCache cluster node.
## Syntax
An `aws_elasticache_cluster_node` resource block declares the tests for a single AWS ElastiCache cluster node by `cache_cluster_id` and `node_id`.
describe aws_elasticache_cluster_node(cache_cluster_id: 'my-cluster-123', node_id: '0001') do
it { should exist }
end
## Parameters
The ElastiCache cluster ID and node ID must be provided.
### cache_cluster_id _(required)_
The ID of the ElastiCache cluster:
- contains between 1 and 50 alphanumeric characters or hyphens,
- should start with a letter,
- cannot end with a hyphen or contain two consecutive hyphens.
It can be passed either as a string or as a `cache_cluster_id: 'value'` key-value entry in a hash.
### node_id _(required)_
The ID of the node must be a string containing 4 digits. It can be passed as a `node_id: 'value'` key-value entry in a hash.
## Properties
| Property | Description |
| ----------- | ---------------------------------------------------------------------------------------------------------------------- |
| id | The cache node identifier, e.g. `0001`. |
| port | The port number that the cache engine is listening on. |
| address | The DNS hostname of the cache node. |
| status | The current state of the cache node. One of the following values: `available`, `creating`, `rebooting`, or `deleting`. |
| create_time | The date and time when the cache node was created. |
There are also additional properties available. For a comprehensive list, see [the API reference documentation](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CacheNode.html).
## Examples
### Test that an ElastiCache cluster node is available
describe aws_elasticache_cluster_node(cache_cluster_id: "my-cluster-123", node_id: "0001") do
its("status") { should eq 'available' }
end
### Test that an Elasticache cluster engine is listening on port `11211`
describe aws_elasticache_cluster_node(cache_cluster_id: "my-cluster-123", node_id: "0001") do
its("port") { should cmp 11211 }
end
### Test that an Elasticache cluster node's customer availability zone is `us-east-2b`
describe aws_elasticache_cluster_node(cache_cluster_id: "my-cluster-123", node_id: "0001") do
its("customer_availability_zone") { should cmp "us-east-2b" }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
describe aws_elasticache_cluster_node(cache_cluster_id: "my-cluster-123", node_id: "0001") do
it { should exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `elasticache:DescribeCacheClusters` action set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html),
and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

83
docs-chef-io/content/inspec/resources/aws_elasticache_clusters.md
View file

@ -1,83 +0,0 @@
+++
title = "aws_elasticache_clusters resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_elasticache_clusters"
identifier = "inspec/resources/aws/aws_elasticache_clusters.md aws_elasticache_clusters"
parent = "inspec/resources/aws"
+++
Use the `aws_elasticache_clusters` InSpec audit resource to test the properties
of all AWS ElastiCache clusters. To audit a single ElastiCache cluster, use `aws_elasticache_cluster` (singular).
## Syntax
An `aws_elasticache_clusters` resource block collects a group of ElastiCache cluster descriptions and then tests that group.
describe aws_elasticache_clusters
it { should exist }
end
## Parameters
This resource does not expect any parameters.
## Properties
| Property | Description |
| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| ids | The user-supplied identifier of the cluster. This identifier is a unique key that identifies a cluster. |
| node_types | The name of the compute and memory capacity node type for the cluster, e.g. `cache.m5.large`. |
| engines | The name of the cache engine, e.g. `redis`. |
| status | The current state of the cluster, e.g. `creating`, `available`. |
| zones | The name of the availability zone in which the cluster is located or "Multiple" if the cache nodes are located in different availability zones. |
| subnet_group_names | The name of the cache subnet group. |
| encrypted_at_rest | Indicates whether the content is encrypted at rest or not. |
| encrypted_at_transit | Indicates whether the content is encrypted at transit or not. |
## Examples
### Ensure that exactly 3 ElastiCache clusters exist
describe aws_elasticache_clusters do
its("entries.count") { should cmp 3 }
end
### Use this InSpec resource to request the IDs of all ElastiCache clusters, then test in-depth using `aws_elasticache_cluster` and `aws_elasticache_cluster_node`.
aws_elasticache_clusters.ids.each do |id|
aws_elasticache_cluster(id).node_ids.each do |node_id|
describe aws_elasticache_cluster_node(cache_cluster_id: id, node_id: node_id) do
it { should exist }
end
end
end
## Matchers
For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_elasticache_clusters.where( <property>: <value>) do
it { should exist }
end
describe aws_elasticache_clusters.where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `elasticache:DescribeCacheClusters` action set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Amazon ElastiCache](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticache.html),
and [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

114
docs-chef-io/content/inspec/resources/aws_elb.md
View file

@ -1,114 +0,0 @@
+++
title = "aws_elb resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_elb"
identifier = "inspec/resources/aws/aws_elb.md aws_elb resource"
parent = "inspec/resources/aws"
+++
Use the `aws_elb` InSpec audit resource to test properties of a single AWS Elastic Load Balancer (ELB).
## Syntax
An `aws_elb` resource block declares the tests for a single AWS ELB by ELB name. AWS ELB Names are unique per region.
describe aws_elb('my-elb') do
it { should exist }
end
describe aws_elb(load_balancer_name: 'my-elb') do
it { should exist }
end
## Parameters
### load_balancer_name _(required)_
This resource accepts a single parameter, the ELB Name which uniquely identifies the ELB.
This can be passed either as a string or as a `load_balancer_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference).
## Properties
| Property | Description |
| ------------------ | ------------------------------------------------------------------------------------------------------- |
| load_balancer_name | The name of the load balancer. |
| dns_name | The DNS name of the load balancer. |
| availability_zones | The Availability Zones for the load balancer. |
| instance_ids | An array containing all instance ids associated with the ELB. |
| external_ports | An array of the external ports exposed on the ELB. |
| internal_ports | An array of the internal ports exposed on the ELB. |
| security_group_ids | The security groups for the load balancer. Valid only for load balancers in a VPC. |
| vpc_id | The ID of the VPC for the load balancer. |
| subnet_ids | The IDs of the subnets for the load balancer. |
| listeners | A collection of the listeners for the load balancer. |
| ssl_policies | A collection of the SSL Policies configured in-use for the load balancer (and their policy attributes). |
| protocols | A list of the protocols configured for the listeners of the load balancer. |
## Examples
### Test that an ELB has its availability zones configured correctly
describe aws_elb('prod_web_app_elb') do
its('availability_zones.count') { should be > 1 }
its('availability_zones') { should include 'us-east-2a' }
its('availability_zones') { should include 'us-east-2b' }
end
### Ensure an ELB has the correct number of EC2 Instances associated with it
describe aws_elb('prod_web_app_elb') do
its('instance_ids.count') { should cmp 3 }
end
### Ensure the correct DNS is set
describe aws_elb('prod_web_app_elb') do
its('dns_name') { should cmp 'your-fqdn.com' }
end
### Ensure we only expose port 80, both to the public and internal
describe aws_elb('prod_web_app_elb') do
its('external_ports.count') { should cmp 1 }
its('external_ports') { should include 80 }
its('internal_ports.count') { should cmp 1 }
its('internal_ports') { should include 80 }
end
### Ensure the correct EC2 Instances are associated
describe aws_elb('prod_web_app_elb') do
its('instance_ids') { should include 'i-12345678' }
end
## Matchers
This InSpec audit resource has no special matchers. For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_elb('AnExistingELB') do
it { should exist }
end
describe aws_elb('ANonExistentELB') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `elasticloadbalancing:DescribeLoadBalancers` action set to Allow.
You can find detailed documentation at [Authentication and Access Control for Your Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html)

85
docs-chef-io/content/inspec/resources/aws_elbs.md
View file

@ -1,85 +0,0 @@
+++
title = "aws_elbs resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_elbs"
identifier = "inspec/resources/aws/aws_elbs.md aws_elbs resource"
parent = "inspec/resources/aws"
+++
Use the `aws_elbs` InSpec audit resource to test the configuration of a collection
of AWS Elastic Load Balancers.
## Syntax
describe aws_elbs do
its('load_balancer_names') { should include 'elb-name' }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on Elastic Load Balancing](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference).
## Properties
| Property | Description |
| ------------------- | ---------------------------------------------------------------------------------- |
| load_balancer_names | The name of the load balancer. |
| dns_names | The DNS name of the load balancer. |
| availability_zones | The Availability Zones for the load balancer. |
| instance_ids | An array containing all instance ids associated with the ELB. |
| external_ports | An array of the external ports exposed on the ELB. |
| internal_ports | An array of the internal ports exposed on the ELB. |
| security_group_ids | The security groups for the load balancer. Valid only for load balancers in a VPC. |
| vpc_ids | The ID of the VPC for the load balancer. |
| subnet_id s | The IDs of the subnets for the load balancer. |
## Examples
### Ensure there are no Load Balancers with an undesired zone.
describe aws_elbs do
it { should exist }
its('availability_zones') { should_not include 'us-east-1a'}
end
### Ensure all ELBs expose only port 80
aws_elbs.each do |elb|
describe elb do
its('external_ports.count') { should cmp 1 }
its('external_ports') { should include 80 }
its('internal_ports.count') { should cmp 1 }
its('internal_ports') { should include 80 }
end
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_elbs.where( <property>: <value>) do
it { should exist }
end
describe aws_elbs.where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `elasticloadbalancing:DescribeLoadBalancers` action set to Allow.
You can find detailed documentation at [Authentication and Access Control for Your Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html)

122
docs-chef-io/content/inspec/resources/aws_flow_log.md
View file

@ -1,122 +0,0 @@
+++
title = "aws_flow_log resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_flow_log"
identifier = "inspec/resources/aws/aws_flow_log.md aws_flow_log resource"
parent = "inspec/resources/aws"
+++
Use the `aws_flow_log` InSpec audit resource to test properties of a single Flow Log.
## Syntax
describe aws_flow_log(flow_log_id: 'fl-9c718cf5') do
it { should exist }
end
## Parameters
This resource requires at least one of the following parameters to be provided: `flow_log_id`, `subnet_id`, `vpc_id`.
### flow_log_id _(required if no other parameters provided)_
The Flow Log ID which uniquely identifies the Flow Log.
This can be passed either as a string or as a `flow_log_id: 'value'` key-value entry in a hash.
### subnet_id _(required if no other parameters provided)_
The subnet associated with the Flow Log, if applicable.
This must be passed as a `subnet_id: 'value'` key-value entry in a hash.
### vpc_id _(required if no other parameters provided)_
The VPC associated with the Flow Log, if applicable.
This must be passed as a `vpc_id: 'value'` key-value entry in a hash.
See also the [AWS documentation on Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html).
## Properties
| Property | Description |
| -------------- | ------------------------------------------------------------------------- |
| flow_log_id | The ID of the Flow Log. |
| log_group_name | The name of the associated log group. |
| resource_id | The ID of the assosiated resource, e.g. VPC, Subnet or Network Interface. |
## Examples
### Search for a flow log by the associated subnet id
describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
it { should exist }
end
### Search for a flow log by the associated VPC id
describe aws_flow_log(vpc_id: 'vpc-96cabaef') do
it { should exist }
end
### Ensure the correct Flow Log is associated with a Subnet
describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
its('flow_log_id') { should cmp 'fl-9c718cf5' }
end
### Ensure the Flow Log is associated with the correct resource type
describe aws_flow_log('fl-9c718cf5') do
its('resource_type') { should cmp 'subnet' }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_flow_log('AnExistingFlowLog') do
it { should exist }
end
describe aws_flow_log('ANonExistentFlowLog') do
it { should_not exist }
end
### be_attached_to_eni
Indicates that the Flow Log is attached to a ENI resource.
describe aws_flow_log('fl-9c718cf5') do
it { should be_attached_to_eni }
end
### be_attached_to_subnet
Indicates that the Flow Log is attached to a subnet resource.
describe aws_flow_log('fl-9c718cf5') do
it { should be_attached_to_subnet }
end
### be_attached_to_vpc
Indicates that the Flow Log is attached to a vpc resource.
describe aws_flow_log('fl-9c718cf5') do
it { should be_attached_to_vpc }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `ec2:DescribeFlowLogs` actions with Effect set to Allow.

99
docs-chef-io/content/inspec/resources/aws_hosted_zone.md
View file

@ -1,99 +0,0 @@
+++
title = "aws_hosted_zone resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_hosted_zone"
identifier = "inspec/resources/aws/aws_hosted_zone.md aws_hosted_zone resource"
parent = "inspec/resources/aws"
+++
Use the `aws_hosted_zone` resource to test a specific hosted zone configuration.
## Syntax
```ruby
describe aws_hosted_zone('zone-name') do
it { should exist }
its ('name_servers.count') { should eq 4 }
its ('private_zone') { should be false }
its ('record_names') { should include 'sid-james.carry-on.films.com' }
end
```
## Parameters
This resource takes one parameter, the name of the hosted zone to validate.
## Properties
| Property | Description |
| ------------ | ------------------------------------------------------------------------------------------------ |
| name | The name of the hosted zone. |
| id | It's id. |
| name_servers | List of the associated name servers |
| private_zone | If the hosted zone if private or public |
| record_count | Number of associated records |
| records | The associated records, flattens the list, so each rule will have multiple records for each type |
## Examples
### Ensure a specific hosted zone exists
```ruby
describe aws_hosted_zone('zone-name') do
it { should exist }
end
```
## Matchers
This InSpec audit resource has the following special matchers. For a full list
of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe passes all tests.
Use `exist` to validate the hosted zone exists
```ruby
describe aws_hosted_zone('zone-name') do
it { should exist }
end
```
Use `should_not` to test the entity should not exist.
```ruby
describe aws_hosted_zone('zone-name') do
it { should_not exist }
end
```
### should
The control will pass if the describe passes all tests.
Use `should` to validate the hosted zone if public or private, the number of name
servers is correct or that a specific record exists e.g.
```ruby
describe aws_hosted_zone('zone-name') do
it { should exist }
its ('name_servers.count') { should eq 4 }
its ('private_zone') { should be false }
its ('record_names') { should include 'sid-james.carry-on.films.com' }
end
```
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)
will need the `route53:ListHostedZones` action with Effect set to Allow.
You can find detailed documentation at
[Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/r53-api-permissions-ref.html)

66
docs-chef-io/content/inspec/resources/aws_hosted_zones.md
View file

@ -1,66 +0,0 @@
+++
title = "aws_hosted_zones resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_hosted_zones"
identifier = "inspec/resources/aws/aws_hosted_zones.md aws_hosted_zones resource"
parent = "inspec/resources/aws"
+++
Use the `aws_hosted_zones` resource to test the hosted zones configuration.
## Syntax
```ruby
describe aws_hosted_zones do
its('names') { should include ("carry-on.films.com") }
end
```
## Parameters
This resource does not expect any parameters.
## Properties
| Property | Description |
| -------- | ---------------------------- |
| name | The name of the hosted zone. |
| id | It's id. |
## Examples
### Ensure a specific hosted zone exists
```ruby
describe aws_hosted_zones do
its('names') { should include ("carry-on.films.com") }
end
```
## Matchers
This InSpec audit resource uses the following special matcher. For a full list
of available matchers, please visit our [matchers page](/inspec/matchers/).
### should
The control will pass if the describe passes all tests.
Use `should` to validate if a specific hosted zone exists
```ruby
describe aws_hosted_zones do
its('names') { should include ("carry-on.films.com") }
end
```
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `route53:ListHostedZones` action with Effect set to Allow.
You can find detailed documentation at [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/r53-api-permissions-ref.html)

90
docs-chef-io/content/inspec/resources/aws_iam_access_key.md
View file

@ -1,90 +0,0 @@
+++
title = "aws_iam_access_key resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_access_key"
identifier = "inspec/resources/aws/aws_iam_access_key.md aws_iam_access_key resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_access_key` InSpec audit resource to test properties of a single AWS IAM Access Key.
## Syntax
An `aws_iam_access_key` resource allows the testing of a single AWS IAM Access Key.
describe aws_iam_access_key(access_key_id: 'AKIA1111111111111111') do
it { should exist }
end
## Parameters
This resources requires either an `access_key_id` or the IAM `username` associated with the Access Key.
### access_key_id _(required if `username` not provided.)_
The Access Key ID which uniquely identifies the Key. Begins with the characters "AKIA".
This can be passed either as a string or as a `access_key_id: 'value'` key-value entry in a hash.
### username _(required if `access_key\_id` not provided.)_
The IAM Username which is associated with the Access Key.
This can be passed either as a string or as a `username: 'value'` key-value entry in a hash.
See also the [AWS documentation on IAM Access Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
## Properties
| Property | Description |
| ------------- | --------------------------------------------------------- |
| access_key_id | The ID of the Access Key. |
| username | The IAM Username which is associated with the Access Key. |
| status | The status of the Access Key, e.g. "Active". |
| create_date | The creation date of the Access Key. |
## Examples
The following examples show how to use this InSpec audit resource.
### Test that an IAM Access Key has been used in the last 90 days
describe aws_iam_access_key(access_key_id: 'AKIA1111111111111111') do
it { should exist }
its('last_used_date') { should be > Time.now - 90 * 86400 }
end
### Test that an IAM Access Key for a specific user exists
describe aws_iam_access_key(username: 'psmith', id: 'AKIA1111111111111111') do
it { should exist }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
it { should exist }
it { should_not exist }
### active
The `active` matcher tests if the described IAM Access Key has a status of Active.
it { should be_active }
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions action set to allow:
`iam:ListAccessKeys`
`iam:GetAccessKeyLastUsed`

91
docs-chef-io/content/inspec/resources/aws_iam_access_keys.md
View file

@ -1,91 +0,0 @@
+++
title = "aws_iam_access_keys resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_access_keys"
identifier = "inspec/resources/aws/aws_iam_access_keys.md aws_iam_access_keys resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_access_keys` InSpec audit resource to test properties of some or all AWS IAM Access Keys.
## Syntax
An `aws_iam_access_keys` resource block returns all IAM Access Keys and allows the testing of that group of Access Keys.
describe aws_iam_access_keys do
it { should exist }
its('access_key_ids') { should include 'AKIA1111111111111111' }
end
## Parameters
This resources accepts a single optional parameter, a Username for which to retrieve all Access Keys.
If not provided, all Access Keys for all Users will be retrieved.
### username _(optional)_
The IAM Username for which to retrieve the Access Keys.
This can be passed either as a string or as a `username: 'value'` key-value entry in a hash.
See also the [AWS documentation on IAM Access Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
## Properties
| Property | Description |
| ------------------- | -------------------------------------------------------------------------------------------- |
| access_key_id | The ID of the Access Key. |
| username | The IAM Username which is associated with the Access Key. |
| active | Indicates if the status of the Key is Active. |
| inactive | Indicates if the status of the Key is Inactive. |
| ever_used | Indicates if the Key has ever been used. |
| never_used | Indicates if the Key has never been used. |
| create_date | The creation date of the Access Key. |
| created_days_ago | How many days ago the Access Key was created. |
| created_hours_ago | How many hours ago the Access Key was created. |
| created_with_user | Boolean indicating if the Access Key was created with a User. |
| last_used_date | The date the Access Key was last used. |
| last_used_hours_ago | How many hours ago the Key was last used. |
| last_used_days_ago | How many days ago the Key was last used. |
| user_created_date | The date on which the associated User was created. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
## Examples
### Test all Active keys
describe aws_iam_access_keys.where(active: true) do
its('access_key_ids') { should include 'AKIA1111111111111111' }
end
### Ensure a User has no Access Keys
describe aws_iam_access_keys.where(username: 'untrusted-account') do
it { should_not exist }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
it { should exist }
it { should_not exist }
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions set to Allow:
`iam:GetUser`
`iam:GetAccessKeyLastUsed`
`iam:ListUsers`
`iam:ListAccessKeys`

65
docs-chef-io/content/inspec/resources/aws_iam_account_alias.md
View file

@ -1,65 +0,0 @@
+++
title = "aws_iam_account_alias resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_account_alias"
identifier = "inspec/resources/aws/aws_iam_account_alias.md aws_iam_account_alias resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_account_alias` InSpec audit resource to test properties of the AWS IAM account alias.
## Syntax
An `aws_iam_account_alias` resource block may be used to perform tests on details of the AWS account alias.
describe aws_iam_account_alias do
it { should exist }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on Account Aliases](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html).
## Properties
| Property | Description |
| -------- | ------------------------------------------- |
| alias | String containing the Alias of the account. |
## Examples
### Check that the account alias has not be set
describe aws_iam_account_alias do
it { should_not exist }
end
### Test if the account alias starts with expected prefix
describe aws_iam_account_alias do
it { should exist }
its('alias') { should match /^chef-/ }
end
## Matchers
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_iam_account_alias do
it { should exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListAccountAliases` action with Effect set to Allow.

75
docs-chef-io/content/inspec/resources/aws_iam_group.md
View file

@ -1,75 +0,0 @@
+++
title = "aws_iam_group resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_group"
identifier = "inspec/resources/aws/aws_iam_group.md aws_iam_group resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_group` InSpec audit resource to test properties of a single IAM group.
## Syntax
An `aws_iam_group` resource block identifies a group by group name.
describe aws_iam_group('mygroup') do
it { should exist }
end
# Hash syntax for group name
describe aws_iam_group(group_name: 'mygroup') do
it { should exist }
end
## Parameters
### group_name _(required)_
This resource accepts a single parameter, the Group Name which uniquely identifies the IAM Group.
This can be passed either as a string or as a `group_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on IAM Groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html).
## Properties
| Property | Description |
| ---------- | ----------------------------------------- |
| group_name | The group name. |
| group_id | The group ID. |
| arn | The Amazon Resource Name of the group. |
| users | Array of users associated with the group. |
## Examples
### Ensure group contains a certain user
describe aws_iam_group('admin-group') do
its('users') { should include 'deployment-service-account')}
end
## Matchers
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_iam_group('AnExistingGroup') do
it { should exist }
end
describe aws_iam_group('ANonExistentGroup') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetGroup` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

68
docs-chef-io/content/inspec/resources/aws_iam_groups.md
View file

@ -1,68 +0,0 @@
+++
title = "aws_iam_groups resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_groups"
identifier = "inspec/resources/aws/aws_iam_groups.md aws_iam_groups resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_groups` InSpec audit resource to test properties of a collection of IAM groups.
## Syntax
An `aws_iam_groups` resource block identifies a group by group name.
describe aws_iam_groups('mygroup') do
it { should exist }
end
# Hash syntax for group name
describe aws_iam_groups(group_name: 'mygroup') do
it { should exist }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on IAM Groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html).
## Properties
| Property | Description |
| ----------- | -------------------------------------------------------------------------------------------- |
| group_names | The group name. |
| group_ids | The group ID. |
| arns | The Amazon Resource Name of the group. |
| users | Array of users associated with the group. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
## Examples
### Ensure group contains a certain user
describe aws_iam_groups do
it { should exist }
its('group_names') { should include 'prod-access-group' }
end
## Matchers
### exist
The control will pass if a group with the given group name exists.
describe aws_iam_groups do
it { should exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListGroup` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

164
docs-chef-io/content/inspec/resources/aws_iam_inline_policy.md
View file

@ -1,164 +0,0 @@
+++
title = "aws_iam_inline_policy resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_inline_policy"
identifier = "inspec/resources/aws/aws_iam_inline_policy.md aws_iam_inline_policy resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_inline_policy` InSpec audit resource to test properties of a single inline AWS IAM Policy embedded with IAM User, IAM Group or IAM Role. For managed policies, use the `aws_iam_policy` resource.
## Syntax
An `aws_iam_inline_policy` resource block identifies an inline policy by policy name and user/group/role by name
# Find an inline policy by name and role name
describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do
it { should exist }
end
# Find an inline policy by name and group name
describe aws_iam_inline_policy(group_name: 'group-x', policy_name: 'policy-1') do
it { should exist }
end
# Find an inline policy by name and user name
describe aws_iam_inline_policy(user_name: 'user-a', policy_name: 'policy-1') do
it { should exist }
end
## Parameters
This resource requires `policy_name` and one of the `role_name`, `group_name` or `user_name` to be provided.
See AWS Documentation on inline policies for more details
- [get-role-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-role-policy.html)
- [get-group-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-group-policy.html)
- [get-user-policy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-user-policy.html)
## Properties
| Property | Description |
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| policy | Returns the default version of the policy document after decoding as a Ruby hash. This hash contains the policy statements and is useful for performing checks that cannot be expressed using higher-level matchers like `have_statement`. |
| statement_count | Returns the number of statements present in the `policy`. |
## Examples
### Test that a policy does exist
describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do
it { should exist }
end
### Examine the policy statements
describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do
# Verify that there is at least one statement allowing access to S3
it { should have_statement(Action: 's3:PutObject', Effect: 'allow') }
# have_statement does not expand wildcards. If you want to verify
# they are absent, an explicit check is required.
it { should_not have_statement(Action: 's3:*') }
# You can also check NotAction
it { should_not have_statement(NotAction: 'iam:*') }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
it { should exist }
it { should_not exist }
### have_statement
Examines the list of statements contained in the policy and passes if at least
one of the statements matches. This matcher does _not_ interpret the policy in a
request authorization context, as AWS does when a request processed. Rather,
`have_statement` examines the literal contents of the IAM policy, and reports on
what is present (or absent, when used with `should_not`).
`have_statement` accepts the following criteria to search for matching statements.
If any statement matches all the criteria, the test is successful. All criteria
may be used as Titlecase (as in the AWS examples) or lowercase, string or symbol.
- `Action` - Expresses the requested operation. Acceptable literal values are any AWS operation name, including the '\*' wildcard character. `Action` may also use a list of AWS operation names.
- `Effect` - Expresses if the operation is permitted. Acceptable values are 'Deny' and 'Allow'.
- `Sid` - A user-provided string identifier for the statement.
- `Resource` - Expresses the operation's target. Acceptable values are ARNs, including the '\*' wildcard. `Resource` may also use a list of ARN values.
Please note the following about the behavior of `have_statement`:
- `Action`, `Sid`, and `Resource` allow using a regular expression as the search critera instead of a string literal.
- it does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with `"Action": "s3:*"` and the test checks for `Action: "s3:PutObject"`, the test _will not match_. You must write an additional test checking for the wildcard case.
- it supports searching list values. For example, if a statement contains a list of 3 resources, and a `have_statement` test specifes _one_ of those resources, it will match.
- `Action` and `Resource` allow using a list of string literals or regular expressions in a test, in which case _all_ must match on the _same_ statement for the test to match. Order is ignored.
- it does not support the `[Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)` or `Conditional` key, or any of `NotAction`, `Not[Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal)`, or `NotResource`.
Examples:
# Verify there is no full-admin statement
describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do
it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')}
end
# Symbols and lowercase also allowed as criteria
describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do
# All 4 the same
it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')}
it { should_not have_statement('effect' => 'Allow', 'resource' => '*', 'action' => '*')}
it { should_not have_statement(Effect: 'Allow', Resource: '*', Action: '*')}
it { should_not have_statement(effect: 'Allow', resource: '*', action: '*')}
end
# Verify bob is allowed to manage things on S3 buckets that start with bobs-stuff
describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do
it { should have_statement(Effect: 'Allow',
# Using the AWS wildcard - this must match exactly
Resource: 'arn:aws:s3:::bobs-stuff*',
# Specify a list of actions - all must match, no others, order isn't important
Action: ['s3:PutObject', 's3:GetObject', 's3:DeleteObject'])}
# Bob would make new buckets constantly if we let him.
it { should_not have_statement(Effect: 'Allow', Action: 's3:CreateBucket')}
it { should_not have_statement(Effect: 'Allow', Action: 's3:*')}
it { should_not have_statement(Effect: 'Allow', Action: '*')}
# An alternative to checking for wildcards is to specify the
# statements you expect, then restrict statement count
its('statement_count') { should cmp 1 }
end
# Use regular expressions to examine the policy
describe aws_iam_inline_policy(role_name: 'role-x', policy_name: 'policy-1') do
# Check to see if anything mentions RDS at all.
# This catches `rds:CreateDBinstance` and `rds:*`, but would not catch '*'.
it { should_not have_statement(Action: /^rds:.+$/)}
# This policy should refer to both sally and kim's s3 buckets.
# This will only match if there is a statement that refers to both resources.
it { should have_statement(Resource: [/arn:aws:s3.+:sally/, /arn:aws:s3.+:kim/]) }
# The following also matches on a statement mentioning only one of them
it { should have_statement(Resource: /arn:aws:s3.+:(sally|kim)/) }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetUserPolicy`, `iam:GetRolePolicy`, and `iam:GetGroupPolicy` actions set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

95
docs-chef-io/content/inspec/resources/aws_iam_password_policy.md
View file

@ -1,95 +0,0 @@
+++
title = "aws_iam_password_policy resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_password_policy"
identifier = "inspec/resources/aws/aws_iam_password_policy.md aws_iam_password_policy resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_password_policy` InSpec audit resource to test properties of an AWS IAM Password Policy.
## Syntax
An `aws_iam_password_policy` resource block declares the tests for an AWS IAM Password Policy.
describe aws_iam_password_policy do
it { should exist }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on Auto Scaling Group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html).
## Properties
| Property | Description |
| ------------------------------- | -------------------------------------------------------------------------- |
| minimum_password_length | The minimum character count of the password policy. |
| max_password_age_in_days | Integer representing in days how long a password may last before expiring. |
| number_of_passwords_to_remember | Number of previous passwords to remember. |
## Examples
### Test that a Password Policy meets your company's requirements.
describe aws_iam_password_policy do
it { should require_uppercase_characters }
it { should require_lowercase_characters }
it { should require_numbers }
its('minimum_password_length') { should be > 8 }
end
### Test that users can change their own passwords
describe aws_iam_password_policy do
it { should allow_users_to_change_password }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
it { should exist }
### prevent_password_reuse
it { should prevent_password_reuse }
### expire_passwords
it { should expire_passwords }
### require_numbers
it { should require_numbers }
### require_symbols
it { should require_symbols }
### require_lowercase_characters
it { should require_lowercase_characters }
### require_uppercase_characters
it { should require_uppercase_characters}
### allow_users_to_change_passwords
it { should allow_users_to_change_password }
All matchers can use the inverse `should_not` predicate.
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions action set to allow: `iam:GetAccountPasswordPolicy`

88
docs-chef-io/content/inspec/resources/aws_iam_policies.md
View file

@ -1,88 +0,0 @@
+++
title = "aws_iam_policies resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_policies"
identifier = "inspec/resources/aws/aws_iam_policies.md aws_iam_policies resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_policies` InSpec audit resource to test properties of a collection of AWS IAM Policies.
## Syntax
`aws_iam_policies` Resource returns a collection of IAM Policies and allows testing of that collection.
describe aws_iam_policies do
its('policy_names') { should include('test-policy-1') }
end
## Parameters
### only_attached _(optional)_
This resource allows filtering by only_attached.
When `OnlyAttached` is `true`, the returned list contains only the policies that are attached to an IAM user, group, or role. When `OnlyAttached` is `false`, or when the parameter is not included, all policies are returned.
### scope _(optional)_
This resource allows filtering by scope.
To list only AWS managed policies, set `Scope` to `AWS`. To list only the customer managed policies in your AWS account, set `Scope` to `Local`. If scope is not supplied `ALL` policies are returned.
See also the [AWS documentation on IAM Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html).
## Properties
| Property | Description |
| ------------------- | -------------------------------------------------------------------------------------------- |
| arns | The ARN identifier of the specified policy. |
| policy_ids | The policy ids. |
| policy_names | The policy names. |
| attachment_counts | The count of attached entities for each policy. |
| attached_groups | The list of group names of the groups attached to each policy. |
| attached_roles | The list of role names of the roles attached to each policy. |
| attached_users | The list of usernames of the users attached to each policy. |
| default_version_ids | The 'default_version_id' value of each policy. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
## Examples
### Ensure a policy exists
describe aws_iam_policies do
its('policy_names') { should include('test-policy-1') }
end
### Allow at most 100 IAM Policies on the account
describe aws_iam_policies do
its('entries.count') { should be <= 100}
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_iam_policies.where( <property>: <value>) do
it { should exist }
end
describe aws_iam_policies.where( <property>: <value>) do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:ListPolicies` action with Effect set to Allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

203
docs-chef-io/content/inspec/resources/aws_iam_policy.md
View file

@ -1,203 +0,0 @@
+++
title = "aws_iam_policy resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_policy"
identifier = "inspec/resources/aws/aws_iam_policy.md aws_iam_policy resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_policy` InSpec audit resource to test properties of a single managed AWS IAM Policy.
## Syntax
An `aws_iam_policy` resource block identifies a policy by policy name or arn
# Find a policy by name
describe aws_iam_policy('AWSSupportAccess') do
it { should exist }
end
# Hash syntax for policy name
describe aws_iam_policy(policy_name: 'AWSSupportAccess') do
it { should exist }
end
## Parameters
This resource requires either the `policy_name` or the `policy_arn` to be provided.
### policy_name _(required if `policy_arn` not provided)_
The Policy Name which uniquely identifies the Policy.
This must be passed as a `policy_name: 'value'` key-value entry in a hash.
### policy_arn _(required if `policy_name` not provided)_
The Policy ARN which uniquely identifies the Policy.
This must be passed as a `policy_arn: 'value'` key-value entry in a hash.
See also the [AWS documentation on IAM Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html).
## Properties
| Property | Description |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| arn | The ARN identifier of the specified policy. |
| attachment_count | The count of attached entities for the specified policy. |
| attached_groups | The list of group names of the groups attached to the policy. |
| attached_roles | The list of role names of the roles attached to the policy. |
| attached_users | The list of usernames of the users attached to the policy. |
| default_version_id | The 'default_version_id' value of the specified policy. |
| policy | Returns the default version of the policy document after decoding as a Ruby hash. This hash contains the policy statements and is useful for performing checks that cannot be expressed using higher-level matchers like `have_statement`. |
| statement_count | Returns the number of statements present in the `policy`. |
## Examples
### Test that a policy does exist
describe aws_iam_policy('AWSSupportAccess') do
it { should exist }
end
### Test that a policy is attached to at least one entity
describe aws_iam_policy('AWSSupportAccess') do
it { should be_attached }
end
### Examine the policy statements
describe aws_iam_policy('my-policy') do
# Verify that there is at least one statement allowing access to S3
it { should have_statement(Action: 's3:PutObject', Effect: 'allow') }
# have_statement does not expand wildcards. If you want to verify
# they are absent, an explicit check is required.
it { should_not have_statement(Action: 's3:*') }
# You can also check NotAction
it { should_not have_statement(NotAction: 'iam:*') }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
it { should exist }
it { should_not exist }
### be_attached
The test will pass if the identified policy is attached to at least one IAM user, group, or role.
describe aws_iam_policy('AWSSupportAccess') do
it { should be_attached }
end
### be_attached_to_group(GROUPNAME)
The test will pass if the identified policy attached the specified group.
describe aws_iam_policy('AWSSupportAccess') do
it { should be_attached_to_group(GROUPNAME) }
end
### be_attached_to_user(USERNAME)
The test will pass if the identified policy attached the specified user.
describe aws_iam_policy('AWSSupportAccess') do
it { should be_attached_to_user(USERNAME) }
end
### be_attached_to_role(ROLENAME)
The test will pass if the identified policy attached the specified role.
describe aws_iam_policy('AWSSupportAccess') do
it { should be_attached_to_role(ROLENAME) }
end
### have_statement
Examines the list of statements contained in the policy and passes if at least one of the statements matches. This matcher does _not_ interpret the policy in a request authorization context, as AWS does when a request processed. Rather, `have_statement` examines the literal contents of the IAM policy, and reports on what is present (or absent, when used with `should_not`).
`have_statement` accepts the following criteria to search for matching statements. If any statement matches all the criteria, the test is successful. All criteria may be used as Titlecase (as in the AWS examples) or lowercase, string or symbol.
- `Action` - Expresses the requested operation. Acceptable literal values are any AWS operation name, including the '\*' wildcard character. `Action` may also use a list of AWS operation names.
- `Effect` - Expresses if the operation is permitted. Acceptable values are 'Deny' and 'Allow'.
- `Sid` - A user-provided string identifier for the statement.
- `Resource` - Expresses the operation's target. Acceptable values are ARNs, including the '\*' wildcard. `Resource` may also use a list of ARN values.
Please note the following about the behavior of `have_statement`:
- `Action`, `Sid`, and `Resource` allow using a regular expression as the search critera instead of a string literal.
- It does not support wildcard expansion; to check for a wildcard value, check for it explicitly. For example, if the policy includes a statement with `"Action": "s3:*"` and the test checks for `Action: "s3:PutObject"`, the test _will not match_. You must write an additional test checking for the wildcard case.
- It supports searching list values. For example, if a statement contains a list of 3 resources, and a `have_statement` test specifes _one_ of those resources, it will match.
- `Action` and `Resource` allow using a list of string literals or regular expressions in a test, in which case _all_ must match on the _same_ statement for the test to match. Order is ignored.
- It does not support the [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html), [NotPrincipal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html) or [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).
Examples:
# Verify there is no full-admin statement
describe aws_iam_policy('kryptonite') do
it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')}
end
# Symbols and lowercase also allowed as criteria
describe aws_iam_policy('kryptonite') do
# All 4 the same
it { should_not have_statement('Effect' => 'Allow', 'Resource' => '*', 'Action' => '*')}
it { should_not have_statement('effect' => 'Allow', 'resource' => '*', 'action' => '*')}
it { should_not have_statement(Effect: 'Allow', Resource: '*', Action: '*')}
it { should_not have_statement(effect: 'Allow', resource: '*', action: '*')}
end
# Verify bob is allowed to manage things on S3 buckets that start with bobs-stuff
describe aws_iam_policy('bob-is-a-packrat') do
it { should have_statement(Effect: 'Allow',
# Using the AWS wildcard - this must match exactly
Resource: 'arn:aws:s3:::bobs-stuff*',
# Specify a list of actions - all must match, no others, order isn't important
Action: ['s3:PutObject', 's3:GetObject', 's3:DeleteObject'])}
# Bob would make new buckets constantly if we let him.
it { should_not have_statement(Effect: 'Allow', Action: 's3:CreateBucket')}
it { should_not have_statement(Effect: 'Allow', Action: 's3:*')}
it { should_not have_statement(Effect: 'Allow', Action: '*')}
# An alternative to checking for wildcards is to specify the
# statements you expect, then restrict statement count
its('statement_count') { should cmp 1 }
end
# Use regular expressions to examine the policy
describe aws_iam_policy('regex-demo') do
# Check to see if anything mentions RDS at all.
# This catches `rds:CreateDBinstance` and `rds:*`, but would not catch '*'.
it { should_not have_statement(Action: /^rds:.+$/)}
# This policy should refer to both sally and kim's s3 buckets.
# This will only match if there is a statement that refers to both resources.
it { should have_statement(Resource: [/arn:aws:s3.+:sally/, /arn:aws:s3.+:kim/]) }
# The following also matches on a statement mentioning only one of them
it { should have_statement(Resource: /arn:aws:s3.+:(sally|kim)/) }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `iam:GetPolicy`, `iam:ListPolicy`, and `iam:ListEntitiesForPolicy` actions set to allow.
You can find detailed documentation at [Actions, Resources, and Condition Keys for Identity And Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html).

81
docs-chef-io/content/inspec/resources/aws_iam_role.md
View file

@ -1,81 +0,0 @@
+++
title = "aws_iam_role resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_role"
identifier = "inspec/resources/aws/aws_iam_role.md aws_iam_role resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_role` InSpec audit resource to test properties of an AWS IAM Role.
## Syntax
An `aws_iam_role` resource block declares the tests for a single AWS IAM Role by Role Name.
describe aws_iam_role(role_name: 'my-role') do
it { should exist }
end
## Parameters
### role_name _(required)_
This resource accepts a single parameter, the Role Name which uniquely identifies the Role.
This can be passed either as a string or as a `role_name: 'value'` key-value entry in a hash.
See also the [AWS documentation on IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html).
## Properties
| Property | Description |
| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| path | The path to the role. |
| role_name | The name of the role. |
| role_id | The id of the role. |
| arn | The Amazon Resource Name (ARN) specifying the role. |
| create_date | The date and time, in ISO 8601 date-time format , when the role was created. |
| assume_role_policy_document | The policy that grants an entity permission to assume the role. |
| description | The description of the role. |
| max_session_duration | The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter. |
| permissions_boundary_type | The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy . |
| permissions_boundary_arn | The ARN of the policy used to set the permissions boundary for the user or role. |
| inline_policies | A list of inline policy names associated with the described role. |
| attached_policies_name | A list of attached policy names associated with the described role. |
| attached_policies_arn | A list of attached policy ARNs associated with the described role. |
## Examples
### Test that an IAM Role exists
describe aws_iam_role(role_name: aws_iam_role_name) do
it { should exist }
its('role_name') { should eq aws_iam_role_name }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_iam_role('AnExistingRole') do
it { should exist }
end
describe aws_iam_role('ANonExistentRole') do
it { should_not exist }
end
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions action set to allow:
`iam:GetRole`

77
docs-chef-io/content/inspec/resources/aws_iam_roles.md
View file

@ -1,77 +0,0 @@
+++
title = "aws_iam_roles resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_roles"
identifier = "inspec/resources/aws/aws_iam_roles.md aws_iam_roles resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_roles` InSpec audit resource to test properties of a collection of AWS IAM Roles.
## Syntax
An `aws_iam_roles` resource block returns all IAM Roles and allows the testing of that group of Roles.
describe aws_iam_roles do
it { should exist }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html).
## Properties
| Property | Description |
| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| paths | The path to the role. |
| role_names | The name of the role. |
| role_ids | The id of the role. |
| arns | The Amazon Resource Name (ARN) specifying the role. |
| create_date | The date and time, in ISO 8601 date-time format , when the role was created. |
| assume_role_policy_document | The policy that grants an entity permission to assume the role. |
| description | The description of the role. |
| max_session_duration | The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter. |
| permissions_boundary_type | The permissions boundary usage type that indicates what type of IAM resource is used as the permissions boundary for an entity. This data type can only have a value of Policy . |
| permissions_boundary_arn | The ARN of the policy used to set the permissions boundary for the user or role. |
| entries | Provides access to the raw results of the query, which can be treated as an array of hashes. |
## Examples
### Ensure the Role 'RDS-RW' exists.
describe aws_iam_roles do
its('role_names') { should include 'RDS-RW' }
end
### Ensure no Roles have `max_session_duration` greater or equal to 2hrs.
describe aws_iam_roles.where{ max_session_duration >= (60*120) } do
it { should_not exist }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The `exists` matcher tests if the filtered IAM User(s) exists.
describe aws_iam_roles.where( <property>: <param>) do
it { should exist }
end
You may also use `it { should_not exist }`.
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions set to Allow:
`iam:ListRoles`

91
docs-chef-io/content/inspec/resources/aws_iam_root_user.md
View file

@ -1,91 +0,0 @@
+++
title = "aws_iam_root_user resource"
draft = false
gh_repo = "inspec"
platform = "aws"
[menu]
[menu.inspec]
title = "aws_iam_root_user"
identifier = "inspec/resources/aws/aws_iam_root_user.md aws_iam_root_user resource"
parent = "inspec/resources/aws"
+++
Use the `aws_iam_root_user` InSpec audit resource to test properties of an AWS IAM Root User.
## Syntax
An `aws_iam_root_user` resource block declares the tests for a single AWS IAM Root User by user name.
describe aws_iam_root_user do
it { should exist }
end
## Parameters
This resource does not expect any parameters.
See also the [AWS documentation on Root Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html).
## Properties
| Property | Description |
| --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| summary_account | A hash containing a summary of the Root User's account. Properties within this hash can be accessed and tested against. Please see the [API Documentation](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html) for details on the available properties. |
| virtual_devices | A list of the virtual MFA devices in the AWS account. |
## Examples
### Test that an IAM Root User has MFA enabled
describe aws_iam_root_user do
it { should have_mfa_enabled }
end
### Test that an IAM Root User does not have an access key
describe aws_iam_root_user do
it { should_not have_access_key }
end
### Test the IAM Root User has virtual MFA enabled
describe aws_iam_root_user do
it { should have_virtual_mfa_enabled }
end
## Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### exist
The control will pass if the describe returns at least one result.
Use `should_not` to test the entity should not exist.
describe aws_iam_root_user do
it { should exist }
end
### have_mfa_enabled
it { should have_mfa_enabled }
### have_virtual_mfa_enabled
it { should have_virtual_mfa_enabled }
### have_access_key
it { should have_access_key }
### have_hardware_mfa_enabled
it { should have_hardware_mfa_enabled }
## AWS Permissions
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the following permissions action set to allow:
`iam:GetAccountSummary`
`iam:ListVirtualMFADevices`

Some files were not shown because too many files have changed in this diff Show more