Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-10 07:04:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update AWS profile generation for InSpec 4 to depend on the new resource pack.

Browse source 
Signed-off-by: Stuart Paterson <spaterson@chef.io>
This commit is contained in:
Stuart Paterson 2019-02-22 14:55:50 +00:00 committed by Clinton Wolfe
parent 36eb4459c1
commit 41a680270e
3 changed files with 184 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

189
lib/plugins/inspec-init/templates/profiles/aws/README.md
View file

@ -5,50 +5,183 @@ This example shows the implementation of an InSpec profile for AWS.
## Create a profile
```
$ inspec init profile --platform aws aws-security
Create new profile at /Users/liamcaproni/aws-security
* Create directory libraries
* Create file README.md
* Create directory controls
* Create file controls/example.rb
* Create file inspec.yml
* Create file attributes.yml
* Create file libraries/.gitkeep
$ inspec init profile --platform aws my-profile
─────────────────────────── InSpec Code Generator ───────────────────────────
Creating new profile at /Users/spaterson/my-profile
• Creating directory libraries
• Creating file README.md
• Creating directory controls
• Creating file controls/example.rb
• Creating file inspec.yml
• Creating file attributes.yml
• Creating file libraries/.gitkeep
```
## Update `attributes.yml` to point to your custom VPC
## Optionally update `attributes.yml` to point to your custom VPC
```
aws_vpc_id: 'custom-vpc-id'
```
The related control will simply be skipped if this is not provided. See the [InSpec DSL documentation](https://www.inspec.io/docs/reference/dsl_inspec/) for more details on conditional execution using `only_if`.
## Run the tests
```
$ cd aws-profile/
$ inspec exec -t aws://eu-west-1/test-iam-profile --attrs attributes.yml aws-security
### With a VPC Identifier
Profile: InSpec Profile (aws-security)
With a supplied VPC identifier in `attributes.yml` both of the example controls will run. The 'aws-single-vpc-exists-check' control will only check for a VPC identifier in the currently configured AWS SDK region e.g. `eu-west-2` in the below:
```
$ cd my-profile/
$ inspec exec . -t aws:// --attrs attributes.yml
Profile: AWS InSpec Profile (my-profile)
Version: 0.1.0
Target: aws://eu-west-2
✔ aws-vpc-check: Check to see if custom VPC exists.
✔ VPC vpc-0014dad216b7664e3 should exist
✔ aws-vpcs-check: Check in all the VPCs for default sg not allowing 22 inwards
✔ EC2 Security Group sg-05cd285a7499ee2bf should allow in {:port=>22}
✔ EC2 Security Group sg-0f0faf6d01eafc65d should allow in {:port=>22}
✔ EC2 Security Group sg-0cb134808cb42f188 should allow in {:port=>22}
✔ EC2 Security Group sg-06b2ae6dea43e32b6 should allow in {:port=>22}
✔ EC2 Security Group sg-0fc81264868480768 should allow in {:port=>22}
✔ EC2 Security Group sg-0cc3c94d414fdcd1b should allow in {:port=>22}
✔ EC2 Security Group sg-0abe7f61 should allow in {:port=>22}
✔ EC2 Security Group sg-0f346bed179f1e6ad should allow in {:port=>22}
✔ EC2 Security Group sg-0ff737c3be7a370ab should allow in {:port=>22}
✔ EC2 Security Group sg-0f37838285d37d035 should allow in {:port=>22}
✔ EC2 Security Group sg-001651d64991000f7 should allow in {:port=>22}
✔ aws-single-vpc-exists-check: Check to see if custom VPC exists.
✔ VPC vpc-1ea06476 should exist
✔ aws-vpcs-multi-region-status-check: Check AWS VPCs in all regions have status "available"
✔ VPC vpc-6458b70d in eu-north-1 should exist
✔ VPC vpc-6458b70d in eu-north-1 should be available
✔ VPC vpc-8d1390e5 in ap-south-1 should exist
✔ VPC vpc-8d1390e5 in ap-south-1 should be available
✔ VPC vpc-07a71d6e in eu-west-3 should exist
✔ VPC vpc-07a71d6e in eu-west-3 should be available
✔ VPC vpc-021630e2e767412b5 in eu-west-2 should exist
✔ VPC vpc-021630e2e767412b5 in eu-west-2 should be available
✔ VPC vpc-1ea06476 in eu-west-2 should exist
✔ VPC vpc-1ea06476 in eu-west-2 should be available
✔ VPC vpc-169dee70 in eu-west-1 should exist
✔ VPC vpc-169dee70 in eu-west-1 should be available
✔ VPC vpc-0179e75c347607887 in eu-west-1 should exist
✔ VPC vpc-0179e75c347607887 in eu-west-1 should be available
✔ VPC vpc-09ff83d71da9d2b6e in eu-west-1 should exist
✔ VPC vpc-09ff83d71da9d2b6e in eu-west-1 should be available
✔ VPC vpc-0ebccac2337a90f13 in eu-west-1 should exist
✔ VPC vpc-0ebccac2337a90f13 in eu-west-1 should be available
✔ VPC vpc-c2a53da4 in eu-west-1 should exist
✔ VPC vpc-c2a53da4 in eu-west-1 should be available
✔ VPC vpc-4fb3f127 in ap-northeast-2 should exist
✔ VPC vpc-4fb3f127 in ap-northeast-2 should be available
✔ VPC vpc-0804856f in ap-northeast-1 should exist
✔ VPC vpc-0804856f in ap-northeast-1 should be available
✔ VPC vpc-ccb917ab in sa-east-1 should exist
✔ VPC vpc-ccb917ab in sa-east-1 should be available
✔ VPC vpc-0afcc60c70a30a615 in ca-central-1 should exist
✔ VPC vpc-0afcc60c70a30a615 in ca-central-1 should be available
✔ VPC vpc-20a25048 in ca-central-1 should exist
✔ VPC vpc-20a25048 in ca-central-1 should be available
✔ VPC vpc-5896143f in ap-southeast-1 should exist
✔ VPC vpc-5896143f in ap-southeast-1 should be available
✔ VPC vpc-47972220 in ap-southeast-2 should exist
✔ VPC vpc-47972220 in ap-southeast-2 should be available
✔ VPC vpc-071b6f0c69d1d0311 in eu-central-1 should exist
✔ VPC vpc-071b6f0c69d1d0311 in eu-central-1 should be available
✔ VPC vpc-807dfdeb in eu-central-1 should exist
✔ VPC vpc-807dfdeb in eu-central-1 should be available
✔ VPC vpc-04071aa6604b8750f in eu-central-1 should exist
✔ VPC vpc-04071aa6604b8750f in eu-central-1 should be available
✔ VPC vpc-f060cd8b in us-east-1 should exist
✔ VPC vpc-f060cd8b in us-east-1 should be available
✔ VPC vpc-0c3a7e116c58d714b in us-east-1 should exist
✔ VPC vpc-0c3a7e116c58d714b in us-east-1 should be available
✔ VPC vpc-047bff6c in us-east-2 should exist
✔ VPC vpc-047bff6c in us-east-2 should be available
✔ VPC vpc-93dd6ef4 in us-west-1 should exist
✔ VPC vpc-93dd6ef4 in us-west-1 should be available
✔ VPC vpc-2c0a6a55 in us-west-2 should exist
✔ VPC vpc-2c0a6a55 in us-west-2 should be available
Profile: Amazon Web Services Resource Pack (inspec-aws)
Version: 0.1.0
Target: aws://eu-west-2
No tests executed.
Profile Summary: 2 successful controls, 0 control failures, 0 controls skipped
Test Summary: 51 successful, 0 failures, 0 skipped
```
### Without Supplying a VPC Identifier
If no VPC identifier is supplied, the 'aws-single-vpc-exists-check' control is skipped and the other control runs. The `attributes.yml` file does not have to be specified to InSpec in this case.
```
$ cd my-profile/
$ inspec exec . -t aws://
Profile: AWS InSpec Profile (my-profile)
Version: 0.1.0
Target: aws://eu-west-2
↺ aws-single-vpc-exists-check: Check to see if custom VPC exists.
↺ Skipped control due to only_if condition.
✔ aws-vpcs-multi-region-status-check: Check AWS VPCs in all regions have status "available"
✔ VPC vpc-6458b70d in eu-north-1 should exist
✔ VPC vpc-6458b70d in eu-north-1 should be available
✔ VPC vpc-8d1390e5 in ap-south-1 should exist
✔ VPC vpc-8d1390e5 in ap-south-1 should be available
✔ VPC vpc-07a71d6e in eu-west-3 should exist
✔ VPC vpc-07a71d6e in eu-west-3 should be available
✔ VPC vpc-021630e2e767412b5 in eu-west-2 should exist
✔ VPC vpc-021630e2e767412b5 in eu-west-2 should be available
✔ VPC vpc-1ea06476 in eu-west-2 should exist
✔ VPC vpc-1ea06476 in eu-west-2 should be available
✔ VPC vpc-169dee70 in eu-west-1 should exist
✔ VPC vpc-169dee70 in eu-west-1 should be available
✔ VPC vpc-0179e75c347607887 in eu-west-1 should exist
✔ VPC vpc-0179e75c347607887 in eu-west-1 should be available
✔ VPC vpc-09ff83d71da9d2b6e in eu-west-1 should exist
✔ VPC vpc-09ff83d71da9d2b6e in eu-west-1 should be available
✔ VPC vpc-0ebccac2337a90f13 in eu-west-1 should exist
✔ VPC vpc-0ebccac2337a90f13 in eu-west-1 should be available
✔ VPC vpc-c2a53da4 in eu-west-1 should exist
✔ VPC vpc-c2a53da4 in eu-west-1 should be available
✔ VPC vpc-4fb3f127 in ap-northeast-2 should exist
✔ VPC vpc-4fb3f127 in ap-northeast-2 should be available
✔ VPC vpc-0804856f in ap-northeast-1 should exist
✔ VPC vpc-0804856f in ap-northeast-1 should be available
✔ VPC vpc-ccb917ab in sa-east-1 should exist
✔ VPC vpc-ccb917ab in sa-east-1 should be available
✔ VPC vpc-0afcc60c70a30a615 in ca-central-1 should exist
✔ VPC vpc-0afcc60c70a30a615 in ca-central-1 should be available
✔ VPC vpc-20a25048 in ca-central-1 should exist
✔ VPC vpc-20a25048 in ca-central-1 should be available
✔ VPC vpc-5896143f in ap-southeast-1 should exist
✔ VPC vpc-5896143f in ap-southeast-1 should be available
✔ VPC vpc-47972220 in ap-southeast-2 should exist
✔ VPC vpc-47972220 in ap-southeast-2 should be available
✔ VPC vpc-071b6f0c69d1d0311 in eu-central-1 should exist
✔ VPC vpc-071b6f0c69d1d0311 in eu-central-1 should be available
✔ VPC vpc-807dfdeb in eu-central-1 should exist
✔ VPC vpc-807dfdeb in eu-central-1 should be available
✔ VPC vpc-04071aa6604b8750f in eu-central-1 should exist
✔ VPC vpc-04071aa6604b8750f in eu-central-1 should be available
✔ VPC vpc-f060cd8b in us-east-1 should exist
✔ VPC vpc-f060cd8b in us-east-1 should be available
✔ VPC vpc-0c3a7e116c58d714b in us-east-1 should exist
✔ VPC vpc-0c3a7e116c58d714b in us-east-1 should be available
✔ VPC vpc-047bff6c in us-east-2 should exist
✔ VPC vpc-047bff6c in us-east-2 should be available
✔ VPC vpc-93dd6ef4 in us-west-1 should exist
✔ VPC vpc-93dd6ef4 in us-west-1 should be available
✔ VPC vpc-2c0a6a55 in us-west-2 should exist
✔ VPC vpc-2c0a6a55 in us-west-2 should be available
Profile: Amazon Web Services Resource Pack (inspec-aws)
Version: 0.1.0
Target: aws://eu-west-2
No tests executed.
Profile Summary: 1 successful control, 0 control failures, 1 control skipped
Test Summary: 50 successful, 0 failures, 1 skipped
```

26
lib/plugins/inspec-init/templates/profiles/aws/controls/example.rb
View file

@ -3,24 +3,28 @@
title 'Sample Section'
aws_vpc_id = attribute('aws_vpc_id')
aws_vpc_id = attribute('aws_vpc_id', default: '', description: 'Optional AWS VPC identifier.')
# you add controls here
control 'aws-vpc-check' do # A unique ID for this control.
# You add controls here
control 'aws-single-vpc-exists-check' do # A unique ID for this control.
only_if { aws_vpc_id != ''} # Only run this control if the `aws_vpc_id` atrtibute is provided.
impact 1.0 # The criticality, if this control fails.
title 'Check to see if custom VPC exists.' # A human-readable title
title 'Check to see if custom VPC exists.' # A human-readable title.
describe aws_vpc(aws_vpc_id) do # The test itself.
it { should exist }
end
end
# Plural resources can be inspected to check for specific resource details.
control 'aws-vpcs-check' do
impact 1.0
title 'Check in all the VPCs for default sg not allowing 22 inwards'
aws_vpcs.vpc_ids.each do |vpc_id|
describe aws_security_group(vpc_id: vpc_id, group_name: 'default') do
it { should allow_in(port: 22) }
# Plural resources can be inspected to check for specific resource details
control 'aws-vpcs-multi-region-status-check' do # A unique ID for this control.
impact 1.0 # The criticality, if this control fails.
title 'Check AWS VPCs in all regions have status "available"' # A human-readable title.
aws_regions.region_names.each do |region| # Loop over all available AWS regions
aws_vpcs(aws_region: region).vpc_ids.each do |vpc| # Find all VPCs in a single AWS region
describe aws_vpc(aws_region: region, vpc_id: vpc) do # The test itself.
it { should exist } # Confirms AWS VPC exists
it { should be_available } # Confirms AWS VPC has status "available"
end
end
end
end

12
lib/plugins/inspec-init/templates/profiles/aws/inspec.yml
View file

@ -6,11 +6,15 @@ copyright_email: you@example.com
license: Apache-2.0
summary: An InSpec Compliance Profile For AWS
version: 0.1.0
inspec_version: '>= 2.3.5'
inspec_version: '~> 4'
attributes:
- name: aws_vpc_id
required: true
description: 'The Custom AWS VPC Id'
required: false
default: ''
description: 'Optional Custom AWS VPC Id'
type: string
depends:
- name: inspec-aws
url: https://github.com/inspec/inspec-aws/archive/master.tar.gz
supports:
- platform: aws
- platform: aws