aws_route_tables Resource
Use the aws_route_tables
InSpec audit resource to test the properties of all route tables or a group of route tables, and all routes or a group of routes. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.
For additional information, including details on parameters and properties, see the AWS documentation on route tables.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
describe aws_route_tables do
it { should exist }
end
Parameters
This resource does not require any parameters.
Properties
route_table_ids
- The route table IDs.
Field:
route_table_id
vpc_ids
- The VPC IDs.
Field:
vpc_id
entries
- Provides access to the raw results of the query, which can be treated as an array of hashes.
Field: Not Applicable
routes(carrier_gateway_ids)
- The ID of the carrier gateway.
Field:
carrier_gateway_id
routes(destination_cidr_blocks)
- The IPv4 CIDR block used for the destination match.
Field:
destination_cidr_block
routes(destination_ipv_6_cidr_blocks)
- The IPv6 CIDR block used for the destination match.
Field:
destination_ipv_6_cidr_block
routes(destination_prefix_list_ids)
- The prefix of the AWS service.
Field:
destination_prefix_list_id
routes(egress_only_internet_gateway_ids)
- The ID of the egress-only internet gateway.
Field:
egress_only_internet_gateway_id
routes(gateway_ids)
- The ID of a gateway attached to your VPC.
Field:
gateway_id
routes(instance_ids)
- The ID of a NAT instance in your VPC.
Field:
instance_id
routes(local_gateway_ids)
- The ID of the local gateway.
Field:
instance_owner_id
routes(nat_gateway_ids)
- The ID of a NAT gateway.
Field:
nat_gateway_id
routes(network_interface_ids)
- The ID of the network interface.
Field:
network_interface_id
routes(transit_gateway_ids)
- The ID of a transit gateway.
Field:
transit_gateway_id
routes(vpc_peering_connection_ids)
- The ID of a VPC peering connection.
Field:
vpc_peering_connection_id
routes(instance_owner_ids)
- The owner ID of a NAT instance in your VPC.
Field:
instance_owner_id
routes(origins)
- Describes how the route was created.
Field:
origin
routes(states)
- The state of the route.
Field:
state
route_table_association_ids
- List of associated route table association IDs.
Field:
route_table_association_ids
association_subnet_ids
- List of all association states(
associated
,failed
,disassociated
) subnet IDs. Field:
association_subnet_ids
associated_subnet_ids
- List of associated subnet IDs.
Field:
associated_subnet_ids
association_gateway_ids
- List of all association states(
associated
,failed
,disassociated
) gateway IDs. Field:
association_gateway_ids
associated_gateway_ids
- List of associated gateway IDs.
Field:
associated_gateway_ids
association_states
- List of all association states(
associated
,failed
,disassociated
). Field:
association_states
main
- flag to indicate the main route table.
Field:
main
Examples
Confirm that a route table exists.
describe aws_route_tables do
its('vpc_ids') { should include 'VPC_ID' }
end
Confirm a route table exists.
describe aws_route_tables do
its('route_table_ids') { should include 'ROUTE_TABLE_ID' }
end
Confirm a destination_cidr_blocks is there in the routes.
describe aws_route_tables do
its('destination_cidr_blocks') { should include "IPV4_CIDR_BLOCK" }
end
Ensure subnet ID of interest is associated .
describe aws_route_tables do
its('associated_subnet_ids') { should include 'SUBNET_ID' }
end
Filter only main route tables.
describe aws_route_tables.where(main: true) do
it { should exist }
end
Filter all failed associations.
describe aws_route_tables.where{ association_states.include?('associated') } do
it { should exist }
end
Matchers
exist
The control will pass if the describe returns at least one result.
Use should
to test the entity should not exist.
describe aws_route_tables do
it { should exist }
end
AWS Permissions
Your Principal will need the EC2:Client:DescribeRouteTablesResult
action with Effect
set to Allow
.
You can find detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.