aws_cloudfront_distributions Resource
Use the aws_cloudfront_distributions InSpec audit resource to test the properties of a collection of an AWS CloudFront distributions.
For additional information, including details on parameters and properties, see the AWS API reference for CloudFront distributions.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
Ensure that a particular CloudFront distribution exists in aws_cloudfront_distributions:
describe aws_cloudfront_distributions do
its('distribution_ids') { should include 'DISTRIBUTION_ID' }
end
Parameters
This resource does not require any parameters.
Properties
distribution_ids- The names of the CloudFront distributions.
distribution_arns- The Amazon Resource Name (ARN) of the CloudFront distributions.
statuses- The statuses of the CloudFront distributions (
InProgressorDeployed). domain_names- The domain names for the CloudFront distributions.
origin_domains_names- The domain names for the CloudFront distributions’ origins (an array for each distribution).
default_cache_viewer_protocol_policies- The viewer protocol policy for the default cache for each of the CloudFront distributions. Values:
http-only,redirect-to-httpsorallow-all. cache_viewer_protocol_policies- The viewer protocol policy for all non-default caches for each of the CloudFront distributions (an array for each distribution). Values:
http-only,redirect-to-httpsorallow-all. There may be an empty array for a distribution if no non-default caches are present. custom_origin_ssl_protocols- An array for each CloudFront distribution containing SSL/TLS protocols allowed by all of the custom origins in that distribution, empty where no custom origins exist for a distribution. Current SSL/TLS protocol identifiers:
SSLv3,TLSv1,TLSv1_1026,TLSv1.1_2016,TLSv1.2_2018,TLSv1.2_2019andTLSv1.2_2021. s3_origin_config- Booleans indicating whether there are any S3 origin configs in a particular distribution (non-custom S3 bucket origins).
price_classes- The price classes for distributions, which corresponds with the maximum price that you want to pay for CloudFront service. Valid Values:
PriceClass_100,PriceClass_200,PriceClass_All. enabled- Booleans indicating whether the distributions are enabled.
viewer_certificate_ssl_support_methods- The SSL support methods for Viewer Certificates for the distributions, only set for distributions with aliases. Valid values:
sni-only,viporstatic-ip. viewer_certificate_minimum_ssl_protocols- The minimum SSL/TLS protocol allowed by the Viewer Certificate in each distribution. Current valid values:
SSLv3,TLSv1,TLSv1_2016,TLSv1.1_2016,TLSv1.2_2018,TLSv1.2_2019,TLSv1.2_2021. http_versions- The maximum HTTP versions that viewers may to use to communicate with CloudFront distributions. Valid values:
http1.1orhttp2. ipv6_enabled- Booleans indicating whether IPv6 is enabled for CloudFront distributions.
Examples
Test that a particular CloudFront distribution exists, and that no cache viewer protocol policies allow HTTP.
describe aws_cloudfront_distributions do
its('distribution_ids') { should include 'DISTRIBUTION_ID' }
its('default_cache_viewer_protocol_policies') { should_not include 'allow-all' }
its('cache_viewer_protocol_policies') { should_not include 'allow-all' }
end
Matchers
For a full list of available matchers, see our Universal Matchers page.This resource has the following special matchers.
exist
The control will pass if the describe returns at least one result.
Use should_not to test the entity should not exist.
describe aws_cloudfront_distributions do
it { should exist }
end
AWS Permissions
Your Principal will need the CloudFront:Client:ListDistributionsResult action with Effect set to Allow.
You can find detailed documentation at Identity and Access Management (IAM) in CloudFront.