aws_waf_web_acl resource
Use the aws_waf_web_acl
InSpec audit resource to test the properties of a single AWS WAF web ACL.
The AWS::WAFv2::WebACL
AWS resource defines a collection of rules to use to inspect and control web requests.
For additional information, including details on parameters and properties, see the AWS documentation on the AWS::WAFv2::WebACL
resource.
Install
This resource is available in the Chef InSpec AWS resource pack.
For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.
Syntax
Ensure that a web ACL exists.
describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do
it { should exist }
end
Parameters
web_acl_id
(required)The unique identifier for the web ACL.
Properties
web_acl_id
- The unique identifier for the web ACL.
name
- The name of the web ACL.
default_action.type
- Specifies how you want AWS WAF to respond to requests that match the settings in a Rule.
rules
- An array that contains the action for each Rule in a
WebACL
, the priority of theRule
, and the ID of theRule
. rules_priorities
- Specifies the order in which the Rules in a WebACL are evaluated.
rules_rule_ids
- The RuleId for a Rule.
rules_actions
- Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the Rule.
rules_action_types
- Specifies how you want AWS WAF to respond to requests that match the settings in a Rule.
rules_override_actions
- Use the OverrideAction to test your RuleGroup.
rules_override_action_types
- The type of the OverrideAction to test your RuleGroup.
rules_types
- The rule type, either
REGULAR
, as defined by Rule,RATE_BASED
, as defined by RateBasedRule, orGROUP
, as defined by RuleGroup. rules_excluded_rules
- An array of rules to exclude from a rule group.
rules_excluded_rules_rule_ids
- The unique identifier for the rule to exclude from the rule group.
web_acl_arn
- Tha Amazon Resource Name (ARN) of the web ACL.
Examples
Ensure a web ACL is available.
describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do
its('web_acl_id') { should eq 'WEB_ACL_ID' }
end
Ensure a web ACL name is available.
describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do
its('name') { should eq 'WEB_ACL_NAME' }
end
Ensure a web ACL rule type is REGULAR
.
describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do
its('rules_types') { should include 'REGULAR' }
end
Matchers
For a full list of available matchers, see our Universal Matchers page.This resource has the following special matchers.
exist
Use should
to test that the entity exists.
describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do
it { should exist }
end
Use should_not
to test the entity does not exist.
describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do
it { should_not exist }
end
be_available
Use should
to check if the entity is available.
describe aws_waf_web_acl(web_acl_id: 'WEB_ACL_ID') do
it { should be_available }
end
AWS Permissions
Your Principal will need the WAF:Client:GetWebACLResponse
action with Effect
set to Allow
.