aws_route_table Resource
Use the aws_route_table
InSpec audit resource to test the properties of a single route or route table. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
For additional information, including details on parameters and properties, see the AWS documentation on route tables and the AWS documentation on routes.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
This resource expects a single parameter that uniquely identifies the route table. You may pass it as a string, or as the value in a hash:
describe aws_route_table('ROUTE_TABLE_ID') do
it { should exist }
end
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
it { should exist }
end
Parameters
route_table_id
(required)This resource accepts a single parameter, the
route_table_id
. This can be passed either as a string or as aroute_table_id: 'value'
key-value entry in a hash.
Properties
route_table_id
- The ID of the route table.
owner_id
- The ID of the AWS account that owns the route table.
vpc_id
- The ID of the VPC.
routes
- The routes in the route table.
associations
- The associations between the route table and one or more subnets.
propagating_vgws
- Any virtual private gateway (VGW) propagating routes.
tags
- Any tags assigned to the route table.
routes(carrier_gateway_id)
- The ID of the carrier gateway.
routes(destination_cidr_block)
- The IPv4 CIDR block used for the destination match.
routes(destination_ipv_6_cidr_block)
- The IPv6 CIDR block used for the destination match.
routes(destination_prefix_list_id)
- The prefix of the AWS service.
routes(egress_only_internet_gateway_id)
- The ID of the egress-only internet gateway.
routes(gateway_id)
- The ID of a gateway attached to your VPC.
routes(instance_id)
- The ID of a NAT instance in your VPC.
routes(local_gateway_id)
- The ID of the local gateway.
routes(nat_gateway_id)
- The ID of a NAT gateway.
routes(network_interface_id)
- The ID of the network interface.
routes(transit_gateway_id)
- The ID of a transit gateway.
routes(vpc_peering_connection_id)
- The ID of a VPC peering connection.
routes(instance_owner_id)
- The owner ID of a NAT instance in your VPC.
routes(origin)
- Describes how the route was created.
routes(state)
- The state of the route.
associated_subnet_ids
- List of associated subnet IDs.
associated_gateway_ids
- List of associated gateway IDs.
Examples
Confirm that the route table has expected VPC identifier.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
its('vpc_id') { should eq 'VPC_ID' }
end
Confirm that the route table has expected owner identifier.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
its('owner_id') { should eq 'OWNER_ID' }
end
Ensure the expected number of routes is present.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
its('routes.count') { should eq 2 }
end
Ensure the expected number of associations is present.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
its('associations.count') { should eq 1 }
end
Ensure the subnet ID of interest is associated.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
its('associated_subnet_ids') { should include 'SUBNET_ID' }
end
Ensure no gateways are associated.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
its('associated_gateway_ids') { should be_empty }
end
Ensure there are no virtual private gateway (VGW) propagating routes.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
its('propagating_vgws') { should be_empty }
end
Confirm that the route table has the expected destination IPv4 CIDR block of the route.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
its('routes.first.destination_cidr_block') { should eq 'IPV4_CIDR_BLOCK' }
end
Matchers
For a full list of available matchers, visit the InSpec matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_route_table('should-be-there') do
it { should exist }
end
describe aws_route_table('should-not-be-there') do
it { should_not exist }
end
main
The control will pass if the route table is the main route table for the VPC.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
it { should be_main }
end
have_subnet_associated
The control will pass if the subnet is associated with the route table.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
it { should have_subnet_associated('SUBNET_ID') }
end
have_gateway_associated
The control will pass if the specified gateway is associated with the route table.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
it { should have_gateway_associated('GATEWAY_ID') }
end
have_failed_association_value
The control will pass if the specified gateway, subnet, or association that is associated with the route table has a failed state.
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
it { should have_failed_association_value(gateway_id: 'GATEWAY_ID') }
end
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
it { should have_failed_association_value(subnet_id: 'SUBNET_ID') }
end
describe aws_route_table(route_table_id: 'ROUTE_TABLE_ID') do
it { should have_failed_association_value(route_table_association_id: 'ROUTE_TABLE_ASSOCIATION_ID') }
end
AWS Permissions
Your Principal will need the EC2:Client:DescribeRouteTablesResult
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.