mirror of
https://github.com/inspec/inspec
synced 2024-11-23 21:23:29 +00:00
b3fafab1e6
* add aws_eks_cluster Signed-off-by: Timothy van Zadelhoff timothy.inspec@theothersolution.nl * disable ABC check on fetch_from_api Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl> * add status predicates * Change docs for status attribute Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl> * Add integration tests Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl> * Adjust EKS build code to almost work Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * EKS only uses private subnets - integration tests pass Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Correct AWS Exception class for resource search miss in unit test Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Update unit test to reflect AWS resource-standard miss behavior, returning nil for most properties Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
190 lines
No EOL
7 KiB
Text
190 lines
No EOL
7 KiB
Text
## Resource Parameters
|
|
|
|
An `aws_eks_cluster` resource block declares the tests for a single EKS Cluster by Cluster name.
|
|
|
|
describe aws_eks_cluster('my-eks') do
|
|
it { should exist }
|
|
end
|
|
|
|
describe aws_eks_cluster(cluster_name: 'my-eks') do
|
|
its('status') { should eq 'ACTIVE' }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Examples
|
|
|
|
The following examples show how to use this InSpec audit resource.
|
|
|
|
### Test that an EKS Cluster does not exist
|
|
|
|
describe aws_eks_cluster('bad-eks') do
|
|
it { should_not exist }
|
|
end
|
|
|
|
### Test that an EKS Cluster has at least 2 subnets
|
|
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('subnets_count') { should be > 1 }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Properties
|
|
|
|
### version
|
|
|
|
Returns a string identifying the version of the EKS Cluster.
|
|
|
|
# Verify the version is 1.5
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('version') { should cmp '1.5' }
|
|
end
|
|
|
|
### arn
|
|
|
|
Returns the ARN of the cluster. This is the Amazon resource name.
|
|
|
|
# Verify the arn is what we expect it to be
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('arn') { should eq 'arn:aws:eks:ab-region-1:012345678910:cluster/kangaroo' }
|
|
end
|
|
|
|
### name
|
|
|
|
The name of the EKS cluster within AWS. The EKS name is unique within the region.
|
|
|
|
# Ensure that the EKS's name is what we said it was
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('name') { should match /my-cluster/ }
|
|
end
|
|
|
|
### status
|
|
|
|
Returns a string containing the current status of the cluster, possible values are: CREATING,ACTIVE,DELETING,FAILED.
|
|
|
|
# ensure the cluster is available or being created
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('status') { should be_in %w(ACTIVE CREATING) }
|
|
end
|
|
|
|
Status can also be called with predicates.
|
|
|
|
# ensure the cluster is available
|
|
describe aws_eks_cluster('my-cluster') do
|
|
it { should be_active }
|
|
end
|
|
|
|
# ensure the cluster is being removed
|
|
describe aws_eks_cluster('my-cluster') do
|
|
it { should be_deleting }
|
|
end
|
|
|
|
### endpoint
|
|
|
|
Returns a string with the K8s API server endpoint. The endpoint is used by kubectl to control the cluster.
|
|
|
|
# Ensure that the endpoint is what we expect it to be
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('endpoint') { should eq 'https://A0DCCD80A04F01705DD065655C30CC3D.yl4.aq-south-2.eks.amazonaws.com' }
|
|
end
|
|
|
|
### security\_group\_ids
|
|
|
|
Returns an array of strings reflecting the security group IDs (firewall rule sets) assigned to the EKS Cluster VPC.
|
|
|
|
# Ensure that a specific SG ID is assigned
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('security_group_ids') { should include 'sg-12345678' }
|
|
end
|
|
|
|
### subnet\_ids
|
|
|
|
Returns an array of strings reflecting the subnet IDs on which the EKS Cluster VPC is located.
|
|
|
|
# Ensure that the EKS VPC is on a specific subnet
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('subnet_ids') { should include 'subnet-12345678' }
|
|
end
|
|
|
|
### vpc\_id
|
|
|
|
Returns a String reflecting the ID of the VPC in which the EKS Cluster is located.
|
|
|
|
# Ensure that the EKS Cluster is on a specific VPC
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('vpc_id') { should cmp 'vpc-12345678' }
|
|
end
|
|
|
|
### role\_arn
|
|
|
|
Returns a String reflecting the Amazon resource name of the Amazon EKS Service IAM role the cluster is using.
|
|
|
|
# Ensure that the EKS Cluster is using a specific IAM role
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('role_arn') { should cmp 'rn:aws:iam::012345678910:role/eks-service-role-AWSServiceRoleForAmazonEKS-J7ONKE3BQ4PI' }
|
|
end
|
|
|
|
### certificate\_authority
|
|
|
|
Returns a String reflecting the certificate authority data used by kubectl to identify to the cluster.
|
|
|
|
# Ensure that the EKS Cluster is using specific certificate authority data
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('certificate_authority') { should cmp 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1EVXpNVEl6TVRFek1Wb1hEVEk0TURVeU9ESXpNVEV6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTTZWCjVUaG4rdFcySm9Xa2hQMzRlVUZMNitaRXJOZGIvWVdrTmtDdWNGS2RaaXl2TjlMVmdvUmV2MjlFVFZlN1ZGbSsKUTJ3ZURyRXJiQyt0dVlibkFuN1ZLYmE3ay9hb1BHekZMdmVnb0t6b0M1N2NUdGVwZzRIazRlK2tIWHNaME10MApyb3NzcjhFM1ROeExETnNJTThGL1cwdjhsTGNCbWRPcjQyV2VuTjFHZXJnaDNSZ2wzR3JIazBnNTU0SjFWenJZCm9hTi8zODFUczlOTFF2QTBXb0xIcjBFRlZpTFdSZEoyZ3lXaC9ybDVyOFNDOHZaQXg1YW1BU0hVd01aTFpWRC8KTDBpOW4wRVM0MkpVdzQyQmxHOEdpd3NhTkJWV3lUTHZKclNhRXlDSHFtVVZaUTFDZkFXUjl0L3JleVVOVXM3TApWV1FqM3BFbk9RMitMSWJrc0RzQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNZ3RsQ1dIQ2U2YzVHMXl2YlFTS0Q4K2hUalkKSm1NSG56L2EvRGt0WG9YUjFVQzIrZUgzT1BZWmVjRVZZZHVaSlZCckNNQ2VWR0ZkeWdBYlNLc1FxWDg0S2RXbAp1MU5QaERDSmEyRHliN2pVMUV6VThTQjFGZUZ5ZFE3a0hNS1E1blpBRVFQOTY4S01hSGUrSm0yQ2x1UFJWbEJVCjF4WlhTS1gzTVZ0K1Q0SU1EV2d6c3JRSjVuQkRjdEtLcUZtM3pKdVVubHo5ZEpVckdscEltMjVJWXJDckxYUFgKWkUwRUtRNWEzMHhkVWNrTHRGQkQrOEtBdFdqSS9yZUZPNzM1YnBMdVoyOTBaNm42QlF3elRrS0p4cnhVc3QvOAppNGsxcnlsaUdWMm5SSjBUYjNORkczNHgrYWdzYTRoSTFPbU90TFM0TmgvRXJxT3lIUXNDc2hEQUtKUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=',
|
|
' }
|
|
end
|
|
|
|
### subnets\_count
|
|
|
|
Returns the number of subnets associated with the Cluster VPC.
|
|
|
|
# Test that an EKS Cluster has 2 subnets
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('subnets_count') { should eq 2 }
|
|
end
|
|
|
|
|
|
### created_at
|
|
|
|
Returns a Time object for the time the cluster was created at.
|
|
|
|
# Test that an EKS Cluster was created after a certain date
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('created_at') { should be > Time.new(2011) }
|
|
end
|
|
|
|
### security\_groups\_count
|
|
|
|
Returns the number of security groups associated with the Cluster VPC.
|
|
|
|
# Test that an EKS Cluster has 2 security groups
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('security_groups_count') { should eq 2 }
|
|
end
|
|
|
|
### integration with other resources
|
|
|
|
Using the resource together with other AWS resources.
|
|
|
|
# find the default security group for our VPC
|
|
my_vpc_id = aws_eks_cluster('my-cluster').vpc_id
|
|
default_security_group = aws_security_group(group_name: 'default', vpc_id: my_vpc_id)
|
|
|
|
# make sure we are not using the default security group
|
|
describe aws_eks_cluster('my-cluster') do
|
|
its('security_group_ids') { should_not include default_security_group.group_id }
|
|
end
|
|
|
|
<br>
|
|
|
|
## Matchers
|
|
|
|
This InSpec audit resource has no special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
|
|
|
|
|
|
## AWS Permissions
|
|
Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `eks:DescribeCluster` action set to Allow.
|
|
|
|
You can find detailed documentation at [Amazon EKS IAM Policies, Roles, and Permissions](https://docs.aws.amazon.com/eks/latest/userguide/IAM_policies.html)
|
|
The documentation for EKS actions is at [Policy Structure](https://docs.aws.amazon.com/eks/latest/userguide/iam-policy-structure.html#UsingWithEKS_Actions) |