mirror of
https://github.com/inspec/inspec
synced 2024-11-23 13:13:22 +00:00
100 lines
2.8 KiB
Ruby
100 lines
2.8 KiB
Ruby
require "resource_support/aws/aws_singular_resource_mixin"
|
|
require "resource_support/aws/aws_backend_base"
|
|
require "aws-sdk-kms"
|
|
|
|
class AwsKmsKey < Inspec.resource(1)
|
|
name "aws_kms_key"
|
|
desc "Verifies settings for an individual AWS KMS Key"
|
|
example <<~EXAMPLE
|
|
describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
|
|
it { should exist }
|
|
end
|
|
EXAMPLE
|
|
|
|
supports platform: "aws"
|
|
|
|
include AwsSingularResourceMixin
|
|
attr_reader :key_id, :arn, :creation_date, :key_usage, :key_state, :description,
|
|
:deletion_date, :valid_to, :external, :has_key_expiration, :managed_by_aws,
|
|
:has_rotation_enabled, :enabled
|
|
# Use aliases for matchers
|
|
alias deletion_time deletion_date
|
|
alias invalidation_time valid_to
|
|
alias external? external
|
|
alias enabled? enabled
|
|
alias managed_by_aws? managed_by_aws
|
|
alias has_key_expiration? has_key_expiration
|
|
alias has_rotation_enabled? has_rotation_enabled
|
|
|
|
def to_s
|
|
"KMS Key #{@key_id}"
|
|
end
|
|
|
|
def created_days_ago
|
|
((Time.now - creation_date) / (24 * 60 * 60)).to_i unless creation_date.nil?
|
|
end
|
|
|
|
private
|
|
|
|
def validate_params(raw_params)
|
|
validated_params = check_resource_param_names(
|
|
raw_params: raw_params,
|
|
allowed_params: [:key_id],
|
|
allowed_scalar_name: :key_id,
|
|
allowed_scalar_type: String
|
|
)
|
|
|
|
if validated_params.empty?
|
|
raise ArgumentError, "You must provide the parameter 'key_id' to aws_kms_key."
|
|
end
|
|
|
|
validated_params
|
|
end
|
|
|
|
def fetch_from_api
|
|
backend = BackendFactory.create(inspec_runner)
|
|
|
|
query = { key_id: @key_id }
|
|
catch_aws_errors do
|
|
|
|
resp = backend.describe_key(query)
|
|
|
|
@exists = true
|
|
@key = resp.key_metadata.to_h
|
|
@key_id = @key[:key_id]
|
|
@arn = @key[:arn]
|
|
@creation_date = @key[:creation_date]
|
|
@enabled = @key[:enabled]
|
|
@description = @key[:description]
|
|
@key_usage = @key[:key_usage]
|
|
@key_state = @key[:key_state]
|
|
@deletion_date = @key[:deletion_date]
|
|
@valid_to = @key[:valid_to]
|
|
@external = @key[:origin] == "EXTERNAL"
|
|
@has_key_expiration = @key[:expiration_model] == "KEY_MATERIAL_EXPIRES"
|
|
@managed_by_aws = @key[:key_manager] == "AWS"
|
|
|
|
resp = backend.get_key_rotation_status(query)
|
|
@has_rotation_enabled = resp.key_rotation_enabled unless resp.empty?
|
|
rescue Aws::KMS::Errors::NotFoundException
|
|
@exists = false
|
|
return
|
|
|
|
end
|
|
end
|
|
|
|
class Backend
|
|
class AwsClientApi < AwsBackendBase
|
|
BackendFactory.set_default_backend(self)
|
|
self.aws_client_class = Aws::KMS::Client
|
|
|
|
def describe_key(query)
|
|
aws_service_client.describe_key(query)
|
|
end
|
|
|
|
def get_key_rotation_status(query)
|
|
aws_service_client.get_key_rotation_status(query)
|
|
end
|
|
end
|
|
end
|
|
end
|