Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-12-18 00:53:22 +00:00
Code Issues Projects Releases Packages Wiki Activity
inspec/docs/resources/aws_vpc_subnets.md
Clinton Wolfe 4d8eb48855
Skeletal aws_vpc_subnets resource (#228) 
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
2018-02-07 20:12:02 -05:00

3.1 KiB
Raw Blame History

title
About the aws_vpc_subnets Resource

aws_vpc_subnets

Use the aws_vpc_subnets InSpec audit resource to test properties of some or all subnets.

Subnets are networks within a VPC that can have their own block of IP address's and ACL's. VPCs span across all availability zones in AWS, while a subnet in a VPC can only span a single availability zone. Separating IP addresses allows for protection if there is a failure in one availability zone.


Syntax

An aws_vpc_subnets resource block uses an optional filter to select a group of subnets and then tests that group.

# Test all subnets within a single vpc
describe aws_vpc_subnets.where(vpc_id: 'vpc-12345678') do
  its('subnet_ids') { should include 'subnet-12345678' }
  its('subnet_ids') { should include 'subnet-98765432' }
end

Examples

The following examples show how to use this InSpec audit resource.

As this is the initial release of aws_vpc_subnets, its limited functionality precludes examples.


Matchers

exists

The control will pass if the filter returns at least one result. Use should_not if you expect zero matches.

# You dont always have subnets, so you can test if there are any.
describe aws_vpc_subnets
  it { should exist }
end

# Test that there are subnets in a vpc
describe aws_vpc_subnets.where(vpc_id: 'vpc-12345678')
  it { should exist }
end

Filter Criteria

vpc_id

A string identifying the VPC which may or may not contain subnets.

# Look for all subnts within a vpc.
describe aws_vpc_subnets.where( vpc_id: 'vpc-12345678') do
  its('subnet_ids') { should include 'subnet-12345678' }
  its('subnet_ids') { should include 'subnet-98765432' }
end

subnet_id

A string identifying a specific subnet.

# Examine a specific subnet
describe aws_vpc_subnets.where(subnet_id: 'subnet-12345678') do
  its('cidr_blocks') { should eq ['10.0.1.0/24'] }
end

Properties

cidr_blocks

Provides a string that contains the cidr block of ip addresses that can be given in the subnet.

# Examine a specific subnets cidr_blocks
describe aws_vpc_subnets.where( subnet_id: 'subnet-12345678') do
  its('cidr_blocks') { should eq ['10.0.1.0/24'] }
end

vpc_ids

Provides an array containing a string of the vpc_id associated with a subnet.

# Examine a specific subnets VPC IDS
describe aws_vpc_subnets.where( subnet_id: 'subnet-12345678') do
  its('vpc_ids') { should include 'vpc-12345678' }
end

subnet_ids

Provides an array of strings containing the subnet IDs associated with a vpc.

# Examine a specific vpcs Subnet IDs
describe aws_vpc_subnets.where( vpc_id: 'vpc-12345678') do
  its('subnet_ids') { should include 'subnet-12345678' }
  its('subnet_ids') { should include 'subnet-98765432' }
end

states

Provides an array of strings including whether the subnets are available or not.

# Examine a specific vpcs Subnet IDs
describe aws_vpc_subnets.where( vpc_id: 'vpc-12345678') do
  its('states') { should_not include 'pending' }
end