aws_nat_gateway Resource
Use the aws_nat_gateway
InSpec audit resource to test the properties of a single AWS NAT gateway.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_nat_gateway
resource block declares the tests for a single AWS NAT gateway by id, name, vpc_id or subnet_id.
describe aws_nat_gateway(id: 'nat-abc0123456789deff') do
it { should exist }
end
describe aws_nat_gateway(name: 'my-nat-gateway') do
it { should exist }
end
Multiple parameters can be provided for better granularity.
describe aws_nat_gateway(vpc_id: 'vpc-abc01234', subnet_id: 'subnet-6789deff') do
it { should exist }
end
Parameters
At least one of the following parameters must be provided.
- id
- name
- subnet_id
- vpc_id
id
The value of the
nat_gateway_id
assigned by the AWS after the resource has been created. This should be in the format ofnat-
followed by 8 or 17 hexadecimal characters and passed as anid: 'value'
key-value entry in a hash.name
If a
Name
tag is applied to the NAT gateway, this can be used to lookup the resource. This must be passed as aname: 'value'
key-value entry in a hash. If there are multiple NAT gateways with the same name, this resource will raise an error.subnet_id
The ID of the subnet in which the NAT gateway is placed. This should be in the format of
subnet-
followed by 8 or 17 hexadecimal characters and passed as ansubnet_id: 'value'
key-value entry in a hash.vpc_id
The ID of the VPC in which the NAT gateway is located. This should be in the format of
vpc-
followed by 8 or 17 hexadecimal characters and passed as anvpc_id: 'value'
key-value entry in a hash.
Properties
id
- The ID of the NAT gateway.
name
- The value of the
Name
tag. It isnil
if not defined. vpc_id
- The ID of the VPC in which the NAT gateway is located.
subnet_id
- The ID of the subnet in which the NAT gateway is placed.
tags
- A hash, with each key-value pair corresponding to a NAT gateway tag.
nat_gateway_address_set
- A hash of NatGatewayAddress object that gives information about the IP addresses and network interface associated with the NAT gateway.
state
- The sate of the NAT gateway. Valid values are:
pending
,failed
,available
,deleting
anddeleted
.
There are also additional properties available. For a comprehensive list, see the API reference documentation
Examples
Test that the NAT gateway is in available
state.
describe aws_nat_gateway(name: 'my-nat-gateway') do
its('state') { should eq 'available' }
end
Test that the ID of the VPC is vpc-1234567890abcdef1
.
describe aws_nat_gateway(id: 'nat-abc0123456789deff') do
its('vpc_id') { should eq `vpc-1234567890abcdef1` }
end
Test that the NAT gateway has a certain tag.
describe aws_nat_gateway(name: 'my-nat-gateway') do
its('tags') { should include('environment' => 'dev') }
**Regardless of the value.**
end
Test that the private IP address is 10.0.1.68
.
describe aws_nat_gateway(vpc_id: 'vpc-abc01234', subnet_id: 'subnet-12345678') do
its('nat_gateway_address_set') { should include(:private_ip => '10.0.1.68') }
end
For more examples, see the integration tests.
Matchers
This InSpec audit resource has the following special matcher. For a full list of available matchers, visit the InSpec matchers page.
exist
describe aws_nat_gateway(name: 'my-nat-gateway') do
it { should exist }
end
AWS Permissions
Your Principal will need the EC2:Client:DescribeNatGatewaysResult
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2, and Actions, Resources, and Condition Keys for Identity And Access Management.