mirror of
https://github.com/inspec/inspec
synced 2024-11-27 07:00:39 +00:00
Spelling and punctuation check on Azure and AWS (#2657)
* Spelling and punctuation check Signed-off-by: kagarmoe <kgarmoe@chef.io>
This commit is contained in:
parent
f9452b022a
commit
bd7327b91c
16 changed files with 46 additions and 48 deletions
|
@ -45,7 +45,7 @@ The following examples show how to use this InSpec audit resource.
|
|||
it { should be_encrypted }
|
||||
end
|
||||
|
||||
### Test that the specified trail is a multi region trail
|
||||
### Test that the specified trail is a multi-region trail
|
||||
|
||||
describe aws_cloudtrail_trail('trail-name') do
|
||||
it { should be_multi_region_trail }
|
||||
|
@ -117,7 +117,7 @@ This InSpec audit resource has the following special matchers. For a full list o
|
|||
|
||||
### be\_multi\_region\_trail
|
||||
|
||||
The test will pass if the identified trail is a multi region trail.
|
||||
The test will pass if the identified trail is a multi-region trail.
|
||||
|
||||
describe aws_cloudtrail_trail('trail-name') do
|
||||
it { should be_multi_region_trail }
|
||||
|
|
|
@ -41,7 +41,7 @@ As this is the initial release of `aws_cloudtrail_trails`, its limited functiona
|
|||
|
||||
### entries
|
||||
|
||||
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
|
||||
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
|
||||
|
||||
# Allow at most 100 CloudTrail Trails on the account
|
||||
describe aws_cloudtrail_trails do
|
||||
|
|
|
@ -7,13 +7,13 @@ platform: aws
|
|||
|
||||
Use the `aws_cloudwatch_alarm` InSpec audit resource to test properties of a single Cloudwatch Alarm.
|
||||
|
||||
Cloudwatch Alarms are currently identified using the metric name and metric namespace. Future work may allow other approaches to identifying alarms.
|
||||
Cloudwatch Alarms are currently identified using the metric name and metric namespace. Future work may allow other approaches to identifying alarms.
|
||||
|
||||
<br>
|
||||
|
||||
## Syntax
|
||||
|
||||
An `aws_cloudwatch_alarm` resource block searches for a Cloudwatch Alarm, specified by several search options. If more than one Alarm matches, an error occurs.
|
||||
An `aws_cloudwatch_alarm` resource block searches for a Cloudwatch Alarm, specified by several search options. If more than one Alarm matches, an error occurs.
|
||||
|
||||
# Look for a specific alarm
|
||||
aws_cloudwatch_alarm(
|
||||
|
@ -48,7 +48,7 @@ The following examples show how to use this InSpec audit resource.
|
|||
|
||||
### alarm\_actions
|
||||
|
||||
`alarm_actions` returns a list of strings. Each string is the ARN of an action that will be taken should the alarm be triggered.
|
||||
`alarm_actions` returns a list of strings. Each string is the ARN of an action that will be taken should the alarm be triggered.
|
||||
|
||||
# Ensure that the alarm has at least one action
|
||||
describe aws_cloudwatch_alarm(
|
||||
|
|
|
@ -7,7 +7,7 @@ platform: aws
|
|||
|
||||
Use the `aws_cloudwatch_log_metric_filter` InSpec audit resource to search for and test properties of individual AWS Cloudwatch Log Metric Filters.
|
||||
|
||||
A Log Metric Filter (LMF) is an AWS resource that observes log traffic, looks for a specified pattern, and updates a metric about the number times the match occurs. The metric can also be connected to AWS Cloudwatch Alarms, so that actions can be taken when a match occurs.
|
||||
A Log Metric Filter (LMF) is an AWS resource that observes log traffic, looks for a specified pattern, and then updates a metric about the number times the match occurs. The metric can also be connected to AWS Cloudwatch Alarms, so that actions can be taken when a match occurs.
|
||||
|
||||
<br>
|
||||
|
||||
|
@ -15,7 +15,7 @@ A Log Metric Filter (LMF) is an AWS resource that observes log traffic, looks fo
|
|||
|
||||
An `aws_cloudwatch_log_metric_filter` resource block searches for an LMF, specified by several search options. If more than one log metric filter matches, an error occurs.
|
||||
|
||||
# Look for a LMF by its filter name and log group name. This combination
|
||||
# Look for an LMF by its filter name and log group name. This combination
|
||||
# will always either find at most one LMF - no duplicates.
|
||||
describe aws_cloudwatch_log_metric_filter(
|
||||
filter_name: 'my-filter',
|
||||
|
|
|
@ -89,13 +89,13 @@ The `be_stopped` matcher tests if the described EC2 instance state is `stopped`.
|
|||
|
||||
### be\_stopping
|
||||
|
||||
The `be_stopping` matcher tests if the described EC2 instance state is `stopping`. This indicates that an AWS stop command has been issued, which will suspend the instance in an OS-unaware manner. This state should be temporary.
|
||||
The `be_stopping` matcher tests if the described EC2 instance state is `stopping`. This indicates that an AWS stop command has been issued, which will suspend the instance in an OS-unaware manner. This state should be temporary.
|
||||
|
||||
it { should be_stopping }
|
||||
|
||||
### be\_terminated
|
||||
|
||||
The `be_terminated` matcher tests if the described EC2 instance state is `terminated`. This indicates the instance is permanently halted and will be removed from the instance listing in a short period. This state should be temporary.
|
||||
The `be_terminated` matcher tests if the described EC2 instance state is `terminated`. This indicates the instance is permanently halted and will be removed from the instance listing in a short period. This state should be temporary.
|
||||
|
||||
it { should be_terminated }
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ Use the `aws_iam_access_key` InSpec audit resource to test properties of a singl
|
|||
|
||||
## Syntax
|
||||
|
||||
An `aws_iam_access_key` resource block declares the tests for a single AWS IAM access key. An access key is uniquely identified by its access key id.
|
||||
An `aws_iam_access_key` resource block declares the tests for a single AWS IAM access key. An access key is uniquely identified by its access key id.
|
||||
|
||||
# This is unique - the key will either exist or it won't, but it will never be an error.
|
||||
describe aws_iam_access_key(access_key_id: 'AKIA12345678ABCD') do
|
||||
|
@ -27,9 +27,9 @@ An `aws_iam_access_key` resource block declares the tests for a single AWS IAM a
|
|||
end
|
||||
|
||||
|
||||
Access keys are associated with IAM users, who may have zero, one or two access keys. You may also lookup an access key by username. If the user has more than one access key, an error occurs (You may use `aws_iam_access_keys` with the `username` resource parameter to access a user's keys when they have multiple keys.)
|
||||
Access keys are associated with IAM users, who may have zero, one or two access keys. You may also lookup an access key by username. If the user has more than one access key, an error occurs (You may use `aws_iam_access_keys` with the `username` resource parameter to access a user's keys when they have multiple keys.)
|
||||
|
||||
# This is not unique. If the user has zero or one keys, it is not an error.
|
||||
# This is not unique. If the user has zero or one keys, it is not an error.
|
||||
# If they have two, it is an error.
|
||||
describe aws_iam_access_key(username: 'roderick') do
|
||||
it { should exist }
|
||||
|
|
|
@ -7,10 +7,10 @@ platform: aws
|
|||
|
||||
Use the `aws_iam_access_keys` InSpec audit resource to test properties of some or all IAM Access Keys.
|
||||
|
||||
To test properties of a single Access Key, use the `aws_iam_access_key` resource instead.
|
||||
To test properties of a single Access Key, use the `aws_iam_access_key` resource instead.
|
||||
To test properties of an individual user's access keys, use the `aws_iam_user` resource.
|
||||
|
||||
Access Keys are closely related to AWS User resources. Use this resource to perform audits of all keys or of keys specified by criteria unrelated to any particular user.
|
||||
Access Keys are closely related to AWS User resources. Use this resource to perform audits of all keys or of keys specified by criteria unrelated to any particular user.
|
||||
|
||||
<br>
|
||||
|
||||
|
@ -56,7 +56,7 @@ The following examples show how to use this InSpec audit resource.
|
|||
|
||||
### active
|
||||
|
||||
A true / false value indicating if an Access Key is currently "Active" (the normal state) in the AWS console. See also: `inactive`.
|
||||
A true / false value indicating if an Access Key is currently "Active" (the normal state) in the AWS console. See also: `inactive`.
|
||||
|
||||
# Check if a particular key is enabled
|
||||
describe aws_iam_access_keys.where { active } do
|
||||
|
@ -65,7 +65,7 @@ A true / false value indicating if an Access Key is currently "Active" (the norm
|
|||
|
||||
### create\_date
|
||||
|
||||
A DateTime identifying when the Access Key was created. See also `created_days_ago` and `created_hours_ago`.
|
||||
A DateTime identifying when the Access Key was created. See also `created_days_ago` and `created_hours_ago`.
|
||||
|
||||
# Detect keys older than 2017
|
||||
describe aws_iam_access_keys.where { create_date < DateTime.parse('2017-01-01') } do
|
||||
|
@ -170,7 +170,7 @@ Provides a list of all access key IDs matched.
|
|||
|
||||
### entries
|
||||
|
||||
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
|
||||
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
|
||||
|
||||
# Allow at most 100 access keys on the account
|
||||
describe aws_iam_access_keys do
|
||||
|
|
|
@ -11,7 +11,7 @@ Use the `aws_iam_password_policy` InSpec audit resource to test properties of th
|
|||
|
||||
## Syntax
|
||||
|
||||
An `aws_iam_password_policy` resource block takes no parameters. Several properties and matchers are available.
|
||||
An `aws_iam_password_policy` resource block takes no parameters. Several properties and matchers are available.
|
||||
|
||||
describe aws_iam_password_policy do
|
||||
it { should require_lowercase_characters }
|
||||
|
@ -21,7 +21,7 @@ An `aws_iam_password_policy` resource block takes no parameters. Several proper
|
|||
|
||||
## Properties
|
||||
|
||||
* `max_password_age_in_days`, `minimum_password_length`, `number_of_passwords_to_remember`
|
||||
* `max_password_age_in_days`, `minimum_password_length`, `number_of_passwords_to_remember`
|
||||
|
||||
## Examples
|
||||
|
||||
|
|
|
@ -58,7 +58,7 @@ Provides a list of policy arns for all IAM Policies in the AWS account.
|
|||
|
||||
### entries
|
||||
|
||||
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
|
||||
Provides access to the raw results of the query. This can be useful for checking counts and other advanced operations.
|
||||
|
||||
# Allow at most 100 IAM Policies on the account
|
||||
describe aws_iam_policies do
|
||||
|
|
|
@ -103,7 +103,7 @@ If there is no bucket policy, this property returns an empty array.
|
|||
bucket_policy = aws_s3_bucket('my-bucket')
|
||||
|
||||
# Look for statements that allow the general public to do things
|
||||
# This may be a false positive; it's possible these statements
|
||||
# This may be a false positive; it is possible these statements
|
||||
# could be protected by conditions, such as IP restrictions.
|
||||
public_statements = bucket_policy.select do |s|
|
||||
s.effect == 'Allow' && s.principal == '*'
|
||||
|
|
|
@ -9,7 +9,7 @@ Use the `aws_vpc` InSpec audit resource to test properties of a single AWS Virtu
|
|||
|
||||
To test properties of all or multiple VPCs, use the `aws_vpcs` resource.
|
||||
|
||||
A VPC is a networking construct that provides an isolated environment. A VPC is contained in a geographic region, but spans availability zones in that region. A VPC may have multiple subnets, internet gateways, and other networking resources. Computing resources--such as EC2 instances--reside on subnets within the VPC.
|
||||
A VPC is a networking construct that provides an isolated environment. A VPC is contained in a geographic region, but spans availability zones in that region. A VPC may have multiple subnets, internet gateways, and other networking resources. Computing resources--such as EC2 instances--reside on subnets within the VPC.
|
||||
|
||||
Each VPC is uniquely identified by its VPC ID. In addition, each VPC has a non-unique CIDR IP Address range (such as 10.0.0.0/16) which it manages.
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ platform: aws
|
|||
|
||||
Use the `aws_vpcs` InSpec audit resource to test properties of some or all AWS Virtual Private Clouds (VPCs).
|
||||
|
||||
A VPC is a networking construct that provides an isolated environment. A VPC is contained in a geographic region, but spans availability zones in that region. A VPC may have multiple subnets, internet gateways, and other networking resources. Computing resources--such as EC2 instances--reside on subnets within the VPC.
|
||||
A VPC is a networking construct that provides an isolated environment. A VPC is contained in a geographic region, but spans availability zones in that region. A VPC may have multiple subnets, internet gateways, and other networking resources. Computing resources--such as EC2 instances--reside on subnets within the VPC.
|
||||
|
||||
Each VPC is uniquely identified by its VPC ID. In addition, each VPC has a non-unique CIDR IP Address range (such as 10.0.0.0/16) which it manages.
|
||||
|
||||
|
|
|
@ -63,8 +63,6 @@ Use this parameter to define the type of resources to test.
|
|||
...
|
||||
end
|
||||
|
||||
|
||||
|
||||
These options can also be set using the environment variables:
|
||||
|
||||
* `AZURE_RESOURCE_GROUP_NAME`
|
||||
|
@ -76,7 +74,7 @@ When the options have been set as well as the environment variables, the environ
|
|||
|
||||
<br>
|
||||
|
||||
## Example
|
||||
## Parameter Example
|
||||
|
||||
describe azure_generic_resource(group_name: 'Inspec-Azure', name: 'Linux-Internal-VM', apiversion: '2.0') do
|
||||
its('location') { should eq 'westeurope' }
|
||||
|
@ -162,7 +160,7 @@ The following examples show how to use some of the InSpec audit properties:
|
|||
|
||||
## Matchers
|
||||
|
||||
For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
|
||||
|
||||
<br>
|
||||
|
||||
|
|
|
@ -68,7 +68,7 @@ Use this parameter to define the name of the Azure resource to test.
|
|||
...
|
||||
end
|
||||
|
||||
If both `group_name` and `name` is set then `name` will take priority.
|
||||
If both `group_name` and `name` is set then `name` takes priority
|
||||
|
||||
These options can also be set using the environment variables:
|
||||
|
||||
|
@ -164,7 +164,7 @@ Tests the number of Public IP Addresses in the resource group.
|
|||
|
||||
Tests the number of managed disk images that are in the resource group.
|
||||
|
||||
These are the items from which managed disks are created which are attached to machines. Generally the images are created from a base image or a custom image (e.g. Packer).
|
||||
Managed disks are created from disk images and then attached to the machines. Generally, the images are created from a base image or a custom image (e.g., Packer)
|
||||
|
||||
its('managed_disk_image_count') { should eq 5 }
|
||||
|
||||
|
@ -240,7 +240,7 @@ Use this matcher to test that public ips exist.
|
|||
|
||||
## Tags
|
||||
|
||||
It is possible to test the tags that have been assigned to the resource. There are a number of properties that can be called to check that it has tags, that it has the correct number and that the correct ones are assigned.
|
||||
It is possible to test the tags that have been assigned to the resource. There are some properties for checking that a resource has tags, that it has the correct number of tags, and that the correct tags are assigned.
|
||||
|
||||
### have\_tags
|
||||
|
||||
|
@ -262,7 +262,7 @@ It is possible to check if a specific tag has been set on the resource.
|
|||
|
||||
### xxx\_tag
|
||||
|
||||
To get the value of the tag, a number of preoprties have been created from the tags that are set.
|
||||
To get the value of the tag, some properties are created from the tags themselves.
|
||||
|
||||
For example, if the following tag is set on a resource:
|
||||
|
||||
|
|
|
@ -5,11 +5,11 @@ platform: azure
|
|||
|
||||
# azure\_virtual\_machine
|
||||
|
||||
Use the `azure_virtual_machine` InSpec audit resource to ensure that a Virtual Machine has been provisionned correctly.
|
||||
Use the `azure_virtual_machine` InSpec audit resource to ensure that a Virtual Machine has been provisioned correctly.
|
||||
|
||||
## Syntax
|
||||
|
||||
The name of the machine and the resourece group are required as properties to the resource.
|
||||
The name of the machine and the resource group are required as properties to the resource.
|
||||
|
||||
describe azure_virtual_machine(group_name: 'MyResourceGroup', name: 'MyVM') do
|
||||
its('property') { should eq 'value' }
|
||||
|
@ -17,9 +17,9 @@ The name of the machine and the resourece group are required as properties to th
|
|||
|
||||
where
|
||||
|
||||
* `MyVm` is the name of the virtual machine as seen in Azure. (It is **not** the hostname of the machine)
|
||||
* `MyResourceGroup` is the name of the resource group that the machine is in.
|
||||
* `property` is one of
|
||||
* `MyVm` is the name of the virtual machine as seen in Azure; it is **not** the hostname of the machine
|
||||
* `MyResourceGroup` is the name of the machine's resource group
|
||||
* `property` is one of the resource properties
|
||||
* `value` is the expected output from the matcher
|
||||
|
||||
## Examples
|
||||
|
@ -106,9 +106,9 @@ Name of the Virtual Machine in Azure. Be aware that this is not the computer nam
|
|||
|
||||
### publisher
|
||||
|
||||
The publisher of the image from which this machine was built.
|
||||
The publisher of this machine's build image.
|
||||
|
||||
This will be `nil` if the machine was created from a custom image.
|
||||
`nil` if the machine was created from a custom image.
|
||||
|
||||
its('publisher') { should cmp 'MicrosoftWindowsServer' }
|
||||
|
||||
|
@ -116,7 +116,7 @@ This will be `nil` if the machine was created from a custom image.
|
|||
|
||||
The offer from the publisher of the build image.
|
||||
|
||||
This will be `nil` if the machine was created from a custom image.
|
||||
`nil` if the machine was created from a custom image.
|
||||
|
||||
its('offer') { should cmp 'WindowsServer' }
|
||||
|
||||
|
@ -124,13 +124,13 @@ This will be `nil` if the machine was created from a custom image.
|
|||
|
||||
The item from the publisher that was used to create the image.
|
||||
|
||||
This will be `nil` if the machine was created from a custom image.
|
||||
`nil` if the machine was created from a custom image.
|
||||
|
||||
its('sku') { should cmp '2016-Datacenter' }
|
||||
|
||||
### os\_type
|
||||
|
||||
Test that returns the classification in Azure of the operating system type. Ostensibly this will be either `Linux` or `Windows`.
|
||||
Test that returns the classification in Azure of the operating system type. Usually either `Linux` or `Windows`.
|
||||
|
||||
its('os_type') { should cmp 'Windows' }
|
||||
|
||||
|
@ -148,7 +148,7 @@ Returns the type of caching that has been set on the operating system disk.
|
|||
|
||||
### create\_option
|
||||
|
||||
When the operating system disk is created, how it was created is set as an property. This property returns how the disk was created.
|
||||
When the operating system disk is created, how it was created is set as a property. This property returns how the disk was created.
|
||||
|
||||
its('create_option') { should cmp 'FromImage' }
|
||||
|
||||
|
|
|
@ -130,7 +130,7 @@ Returns an integer of size of this disk in GB.
|
|||
|
||||
### lun
|
||||
|
||||
The disk number as reported by Azure. This is a zero based index value.
|
||||
The disk number as reported by Azure. Has a zero-based index value.
|
||||
|
||||
its('lun') { should cmp 0 }
|
||||
|
||||
|
@ -142,7 +142,7 @@ String stating the caching that has been set on the disk.
|
|||
|
||||
### create\_option
|
||||
|
||||
How the disk was created. Typically for data disks this will be the string value 'Empty'.
|
||||
How the disk was created. Typically for data disks, this will be the string value 'Empty'.
|
||||
|
||||
its('create_option') { should cmp 'Empty' }
|
||||
|
||||
|
@ -154,7 +154,7 @@ Boolean stating if the disk is a managed disk or not. If it is not a managed dis
|
|||
|
||||
### vhd\_uri
|
||||
|
||||
If this _not_ a managed disk then the `vhd_uri` will be the full URI to the disk in the storage account.
|
||||
If this _not_ a managed disk, then the `vhd_uri` will be the full URI to the disk in the storage account.
|
||||
|
||||
its('vhd_uri') { should cmp '
|
||||
https://primary_storage.blob.core.windows.net/container_name/vm_name.vhd' }
|
||||
|
@ -169,7 +169,7 @@ This derived from the `vhd_uri`.
|
|||
|
||||
### storage\_account\_type
|
||||
|
||||
If this is a managed disk this is the storage account type, e.g. `Standard_LRS`
|
||||
If this is a managed disk this is the storage account type, e.g. `Standard_LRS`.
|
||||
|
||||
its('storage_account_type') { should cmp 'Standard_LRS' }
|
||||
|
||||
|
@ -221,4 +221,4 @@ Returns a boolean stating if the machine has Managed Disks for data disks.
|
|||
|
||||
* [Azure Ruby SDK - Compute](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_compute)
|
||||
* [Linux Internal Data Disks](https://github.com/chef/inspec/blob/master/test/azure/verify/controls/virtual_machine_linux_external_vm_datadisk.rb)
|
||||
* [Windows Internal Data Disk](https://github.com/chef/inspec/blob/master/test/azure/verify/controls/virtual_machine_windows_internal_vm_datadisk.rb)
|
||||
* [Windows Internal Data Disk](https://github.com/chef/inspec/blob/master/test/azure/verify/controls/virtual_machine_windows_internal_vm_datadisk.rb)
|
||||
|
|
Loading…
Reference in a new issue