aws_vpc Resource
Use the aws_vpc InSpec audit resource to test the properties of a single AWS Virtual Private Cloud (VPC) and the CIDR Block that is used within the VPC.
Each VPC is uniquely identified by its ID. In addition, each VPC has a non-unique CIDR IP address range (such as 10.0.0.0/16), which it manages.
Every AWS account has at least one VPC, the “default” VPC, in every region.
For additional information, including details on parameters and properties, see the AWS documentation on VPCs.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
An aws_vpc resource block identifies a VPC by ID. If no VPC ID is provided, the default VPC is used.
# Find the default VPC
describe aws_vpc do
it { should exist }
end
# Find a VPC by ID
describe aws_vpc('VPC-12345678987654321') do
it { should exist }
end
# Hash syntax for ID
describe aws_vpc(vpc_id: 'VPC-12345678') do
it { should exist }
end
Parameters
If no parameter is provided, the subscription’s default VPC will be returned.
vpc_id(optional)This resource accepts a single parameter, the VPC ID. This can be passed either as a string or as a
vpc_id: 'VALUE'key-value entry in a hash.
Properties
cidr_block- The IPv4 address range that is managed by the VPC.
dhcp_options_id- The ID of the set of DHCP options associated with the VPC (or
defaultif the default options are associated with the VPC). instance_tenancy- The allowed tenancy of the instances launched into the VPC.
state- The state of the VPC. Valid values:
pendingandavailable. vpc_id- The ID of the VPC.
tags- The tags of the VPC.
associated_cidr_blocks- The associated CIDR blocks.
disassociated_cidr_blocks- The CIDR blocks that are disassociated.
failed_cidr_blocks- The failed CIDR block associations.
associating_cidr_blocks- The CIDR block associations that are yet in the pending stage.
disassociating- The CIDR block associations that are yet in the disassociating stage.
failing- The CIDR block associations that are yet in failing stage.
Examples
The following examples show how to use this InSpec audit resource.
Test the CIDR Block of a named VPC.
describe aws_vpc('VPC-87654321') do
its('cidr_block') { should cmp '10.0.0.0/16' }
end
Test the state of the VPC.
describe aws_vpc do
its ('STATE') { should eq 'AVAILABLE' }
**or equivalently.**
it { should be_available }
end
Test the allowed tenancy of instances launched into the VPC.
describe aws_vpc do
its ('INSTANCE_TENANCY') { should eq 'DEFAULT' }
it { should be_default_instance }
it { should_not be_dedicated_instance }
it { should_not be_host_instance }
end
Test tags on the VPC.
describe aws_vpc do
its('TAGS') { should include(:Environment => 'ENV-NAME',
:Name => 'VPC-NAME')}
end
Test if the IPV6 CIDR Block is associated to a named VPC.
describe aws_vpc do
it { should have_ipv6_cidr_block_associated?(aws_ipv_6_cidr_block_association_set_ipv_6_cidr_block) }
end
Test if the CIDR Block is associated to a named VPC.
describe aws_vpc do
it { should have_cidr_block_associated?(aws_cidr_block) }
end
Matchers
This InSpec audit resource has the following special matchers. For a complete list of available matchers, please visit our matchers page.
be_default
The test will pass if the identified VPC is the default VPC for the region.
describe aws_vpc('VPC-87654321') do
it { should be_default }
end
be_available
The test will pass if the identified VPC has a available state.
describe aws_vpc('VPC-87654321') do
it { should be_available }
end
be_pending
Check if the identified VPC has a pending state.
describe aws_vpc('VPC-123456') do
it { should be_pending }
end
be_default_instance
Check if the identified VPC has a default instance tendency.
describe aws_vpc('VPC-87654321') do
it { should be_default_instance }
end
be_dedicated_instance
Check if the identified VPC has a dedicated instance tendency.
describe aws_vpc('VPC-87654321') do
it { should be_dedicated_instance }
end
be_host_instance
Check if the identified VPC has a host instance tendency.
describe aws_vpc('VPC-87654321') do
it { should be_host_instance }
end
have_cidr_block_associated
Check if a cidr block is associated to the identified VPC.
describe aws_vpc('VPC-87654321') do
it { should have_cidr_block_associated('10.0.0.0/27') }
end
have_cidr_block_association_failed
Check if a cidr block has failed to associated to the identified VPC.
describe aws_vpc('VPC-87654321') do
it { should have_cidr_block_failed('10.0.0.0/27') }
end
have_cidr_block_disassociated
Check if a cidr block has failed to associated to the identified VPC.
describe aws_vpc('VPC-87654321') do
it { should have_cidr_block_disassociated('10.0.0.0/27') }
end
have_ipv6_cidr_block_associated
Check if the IPV6 cidr block is associated to the identified VPC.
describe aws_vpc('VPC-87654321') do
it { should have_ipv6_cidr_block_associated('2600:1f16:409:6700::/56') }
end
have_ipv6_cidr_block_disassociated
Check if the IPV6 cidr block is disassociated to the identified VPC.
describe aws_vpc('VPC-87654321') do
it { should have_ipv6_cidr_block_disassociated('2600:1f16:409:6700::/56') }
end
have_ipv6_cidr_block_association_failed
Check if the IPV6 cidr block failed to associate to the identified VPC.
describe aws_vpc('VPC-87654321') do
it { should have_ipv6_cidr_block_association_failed('2600:1f16:409:6700::/56') }
end
have_network_border_group_value
Check if the associated IPV6 cidr block has valid network border group value for the identified VPC.
describe aws_vpc('VPC-87654321') do
it { should have_network_border_group_value(ipv6_cidr_block: '2600:1f16:409:6700::/56', network_border_group: 'us-east-2a') }
end
have_ipv6_pool_value
Check if the associated IPV6 cidr block has valid IPv6 Pool value for the identified VPC.
describe aws_vpc('VPC-87654321') do
it { should have_ipv6_pool_value(ipv6_cidr_block: '2600:1f16:409:6700::/56', ipv6_pool: 'Amazon') }
end
AWS Permissions
Your Principal will need the EC2:Client:DescribeVpcsResult action with Effect set to Allow.
You can find the detailed documentation at Actions, Resources, and Condition Keys for Amazon EC2.